Malware Analysis Report

2025-08-05 16:42

Sample ID 240204-wd2plahfbn
Target 8fc63e8c5de9e771badefaa50cc2f7a0
SHA256 4f700aa822f77dc376c2f9d80df9c65f2a0868d358c8ef33420b63dacbcd827f
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f700aa822f77dc376c2f9d80df9c65f2a0868d358c8ef33420b63dacbcd827f

Threat Level: Shows suspicious behavior

The file 8fc63e8c5de9e771badefaa50cc2f7a0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1648 wrote to memory of 1744 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe

"C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 248

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:52

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

159s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c17c9a9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2491094418" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4d347bde384c849be64bb2f1c358fef000000000200000000001066000000010000200000005920db7228bb089fb7c8d11c63515934b2bd4384eaf6bc452eebcf3fc4136db4000000000e8000000002000020000000bdb3c24e65eacd6ff1acc2a00bb38d1a286b7326562db96f38da00f88c1e7fe82000000089be313576f64881b11e64b12fdb6eb320b1cc976908b0f1008657df4e54bd6a400000000ca41fb0e3500ea05ccd3088eae5773003929c8aa41fdf69c0fcead5640d4cd03562c18ac4de09d5d62d01641543737866d709fca78925a1300824e8ad9b216c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF8280D5-C385-11EE-B6AD-F68B0B0A1028} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2552970220" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4d347bde384c849be64bb2f1c358fef000000000200000000001066000000010000200000000ab20d005a523fd84bc464c8d663f407d769953ccc2c259ad611c1b6ceea71d9000000000e8000000002000020000000425ea13818cd2c137f1d8c08c5627d23b02914426733c16cc4acc07e8c72d9cd20000000a2679f1a6ea22cd08adab9757d4bf83630d2f8b15f155b871b9d7af9bbbe3093400000007b862d1774b877637bafce21498ae149d2baa84ef5483828bfdbac2f76ab9af37e9adc51e0b3a0cff2938166d868bb46bf5e7a4e49a46c54c5a166b7bcfc4261 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70bb9b9a9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2491094418" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413833951" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 092249f4c89afed36ec2e5c494dfedcf
SHA1 33fe8f486b9639935b5a876168ce817ef6dd3e8e
SHA256 61c7e2d596e32bb2b81c1712f2a800cd509dc561d08c876cee3fd5509c85f48f
SHA512 5c522858c083c44670b4a27634d886e9bf4e08d93033200676b7d3a3d42f3a456358a8c4af2cbdca469922d0abd5fb81af1dc0ea183ce15861a642c925726af3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7bde92ff965b73dc76190e608c2fbb93
SHA1 95547789d183bbf9ea20ef6ba4c6b2f0249fb30d
SHA256 821420f187b512f853c8b73d9439e940e6e04c499532561343a739717a9a76ee
SHA512 21406b04613e8be9f2036f5057d6d3de568ec1aa4eb6471cd457e70e6ddadfc3b988d5f4c2d316e548b21b2850944a78d75a44ec3bf929e71fe61fb6b0de4ec6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B9EEA6CE-C385-11EE-9963-CE055DF4442A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2388142200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ba558cff15364f83b59eef6d4e53a4000000000200000000001066000000010000200000005e2d435351b3010534743fd0d714f459dad5bc2193ed6e2de0368bbf8779c164000000000e8000000002000020000000d6549b542b00bac262d04409ae90f5e128f21796d132e064820cbde191f7e9ba20000000c3d46d876470ec22c7e73c9651830272029f5a4d0acfe6c92ab23bb3a3c1329e400000009491ae5ecd0ef2e9cd37dcd206bb18fe4d05f66dd987e0a5ac3d2c678fef3ad44754bc2bb9d013ff9102d2e7ff4c265b2b281e51b01cb13f76bae2f49a33a81b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c5e48e9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413833935" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1054e28e9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2391892821" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2388142200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ba558cff15364f83b59eef6d4e53a400000000020000000000106600000001000020000000b585273e2556e4dd6fa395bbfa9d5671bfd5c5e835003074b70e6c9578dd42eb000000000e80000000020000200000006857d7048f403b900a0c6fa8062568734904500cc2a46950bdc38e74cc22d55720000000c625caa208eed8770a18053e6702032c21aff7da5217ef219ca917c01e5b7e68400000007fd2a9add8753170d05dfcf4050d31b2a812ba1f590d7a184c7fe84fc6e5dde3298d76f1e5dec7aefbdab14f83c8a81e5a404c7e86b278414a8bc1e48ae551e7 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 f89601185c58d0ebf85b18cf942743aa
SHA1 e3c11a6d20526223a6d8cbec7f32e1e148291ade
SHA256 bc4a2e33f4a23bd793263f1a6f42e60a625aadee17f64686f2421a4b140697ec
SHA512 cdb75fe76a8eb904905904fad6109d97e41a8bfd78afd6660a3e0526863421628e0d2c86f42aa4c3df1cb03622390849830dc698bf3ce0f9fc0058a61839eb88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7bde92ff965b73dc76190e608c2fbb93
SHA1 95547789d183bbf9ea20ef6ba4c6b2f0249fb30d
SHA256 821420f187b512f853c8b73d9439e940e6e04c499532561343a739717a9a76ee
SHA512 21406b04613e8be9f2036f5057d6d3de568ec1aa4eb6471cd457e70e6ddadfc3b988d5f4c2d316e548b21b2850944a78d75a44ec3bf929e71fe61fb6b0de4ec6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RVXHSNZG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231129-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d78000000000200000000001066000000010000200000009d26f8e8e0252a065e4d20f8a5eeed51b36b78749c47395e2e9f345208976a6f000000000e8000000002000020000000617ed3a9e7d937127278ea08eaf321d92d98fe6d77b7139919eed5fcd02b8f00200000004f6395876a5ce7fdbecc34554e3445d04cf949c33641d05a0534e678c969121d400000002565bf325bf968694ba7f788c192a9dfbe5c884bfb47ecf6f9e7d52ab69bbd748ee21098e5cd0ff3ff9b8625bf2f754029e0d7a756cf47ed245be779832032f4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B965C7D1-C385-11EE-87B3-6E1D43634CD3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000cc0beaefc49a21d07a693f3eee3fee3c7aa79bad4cc8fc4d4352f6e814fa33b3000000000e8000000002000020000000597acae6cb501c58452f9c2b3fef0ef64c74f6a8d7edfe6842839c193669e48d900000005a6566ff99789733b8a5476b8a410a5a9d42a764217f6c05b43682736e6273dfc039b0ccda0691347aaef46eadd61e846e66370a8e339258811776a11718d758f242ca05dc5216dac258619c41d96b95348f1398688b408d3fa85581cdf045a534aec22b51fa920919ec9e37d4b94efbabc06c8db7e7120a5c33e80b5a8e8d52027f07e6482b106aec65ce0542687a08400000008984be168b7e1f6be95153eb40d61df1f26a17c9c4cb6d711485fbec1d8348f9ff563a1a952fcbaf38a9a86246cb6ac5a02f2d86ec41bffdd6e1140e42a6d821 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1083f58d9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413230828" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.195:80 www.bing.com tcp
GB 92.123.128.195:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab2FE7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3163.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a955f1ce4046781b4c06c0c302ee9d9
SHA1 8a2c1e727d24ef4f61240c088ac950b5a0fc61f0
SHA256 7312c877dfb6ef622b54f11fa80eadbdeea72899eb177c73c01defeed9deb830
SHA512 ab6db2c2bf6ba4eaf0464ba5d5ccd1bb839c751116d35a0fd86da7237403b4bb2c6358684c41c55ea80b6842f4ca9db1e23d9a24908f89004962a2cd2ace871e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d0aeb7d35fae74b8e63afaa21ed38aba
SHA1 0e8625b86aedecae40b54d2d202b34d629e2cef3
SHA256 bd2aac5d2a2f51580afc7a3bd557065328ffab74e6781a7e9b803da50a9f7a12
SHA512 87357707eb381eb993f55bfacc64b520beea6c710e3434bd12f89041e4c373316e7cb0c15bd2e74b67c3eeebb7466efc7f0db8a79dffc1e16ac9e8a02b062e51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd3bf0c5f87251bc0bf65dff2cea79fa
SHA1 d09d0ac775dd237c0825a74b5df4179bb1671efc
SHA256 ee2cc6724fe619aa56a8b0098f22aafd8420ea009cf248407c0faac358a8bfe4
SHA512 508eccfc5705d2e09e47977cebea07af72abd6f96f81a5f2365ef36e30af102b974d7c4121061022a718f4dc830f16f6840d88f3b85e1bac8c86630491dc1e08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 914adaffbb5e946b83aba4c0363eb811
SHA1 55addbaca80533ab59286483363efbf757dbd8a9
SHA256 fc98d38415000041d0ce7760cf605773737e8df60e239814e24f39e4a5d342e3
SHA512 fd2bada3b051348103f66a5be5921379d1023de620441cb074d723d6d1726d5bbac2ddc0a5536425d6971ddbcf3925c54896f54f9dc280a7ccb151147dee2b78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70999e25f5d2b1c668bdbde1665c90f5
SHA1 6343671108935012421f86396bb83e2954c6c4ff
SHA256 932987539bd65f05c956cb178c8599814cca2a122cf39e9de04c95d9a9ff9eef
SHA512 c235a97def0b9045806367b6b1005557a023df6e83fb81d160dbc9dc3f7f521286b0c9a43c1b5c234a982329f015dbdcca38b937216a0be3a120521383c8f9d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9870d40cd7c66583d99d4716a67e7f42
SHA1 90d1617e23653c6c299ba799b39a996b201ebfa7
SHA256 25cf83730b6bbf1b78d2eb28dad87cc343c84bb30353577d2d60c5df8fa38c72
SHA512 35d94717d5cae98af5d5f6a674e16c6b7ad8c53d02af26c639fac67a07965ee08c73610816ae53a7cb70b268f845a569d5972176a5fcf74c80663c1a5cb45f4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a933f54b2ccc0d7dc12323efc17d2b9e
SHA1 17e42a8fd3e93d46bfec9c4a71c7b2993970f28d
SHA256 2cae9107cb54c1b2376e0bddfd3e585fa2f3e86a23d5a1ae28a6a60a5cd600fe
SHA512 4aca6a87993588f77a2cc0b44a90cd7a61fc7d129959c289db182c3ae682d83dc9d938da16f50d887bc126b3c9df3d238c9b7bcee465565b17f364978c95c2f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0338d3ca815bd4636e514511477c4681
SHA1 913637070ccc31db49c86a48724036fbee0864e1
SHA256 ab020ba82037b00f5a45aba58edb7a17e1d077eee8a446df4bc6f0b2e00d61d9
SHA512 12da705106c5ef9bd2684ae1410950ddf9116e032699c9270231339aa2953d2286bb6b46f8241b6e9deece5deef72dc2eaf7d657fdc0d5554a10660976783076

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e79d7bf12bf39d8bf5b9c7a3ecaec71a
SHA1 4c905acf0f4d227484a5197fad44b890fd49d3e4
SHA256 8a613922b8c90386ed747c7ef13a75ddd12bb4ca6ce9e5405fc558c57909b988
SHA512 5b88fed73f5518dddd571d292c76448a0e6f6e271770f49660c35c66ad6a92c97ca22dc07eae93f4f9f1efc837694c864a29ca0c6b44e48f40a94f4f088092d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 843a2dbc7cd33473c5163adf8651f0e4
SHA1 0cc96d74a5cf5884750468d13f4eeef2c5251d68
SHA256 bae46ba012f70d24cceabc94946f620357fd350551fcc00d311643bfe8338041
SHA512 a8f84e7239021260851219249d46e85cb1d717b3122a91a114acfd82af0d8b6494a7c910ceae70dc518eb34e814068d692f7cf4de971f25e40d4e4e7a13d140f

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2765924ad46b4e4ccd9c843bdc13e2a
SHA1 5964a31e899b591c557b3303ce3c109a5ac88b28
SHA256 16d94c38ca2785ab1e8243f16887169c276a8965a9e73b32fceac4bcb33b0170
SHA512 18c66b965196035285aa9ce7ac13e74c2f216ece9a2f9b171ad818eaca4b025c0b2045efae217f44463622acc76044408d065cdcd6950983d1e19d57cddd57af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3db8195e17f0a2f3b1ebbab8e8717844
SHA1 4ac47a7dee7b2e704d3187342de2be91826e07e6
SHA256 ffdc10948e30e634da95e01496c88fc8f850c45b6dc8de312486f82d3d974e9c
SHA512 64d1c60083e5f2d8891fbe652f17330deeaf8ac7927a551f9017522bed0662029ae2f022cdbef9d793e28a50c3b0d0ab9737409a0b32a46677df85ffa695c651

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92f6451b636cc1dbd6f8689f70eae750
SHA1 155f52922f4a64798b16ee59fb440eb7db4e0efe
SHA256 560b22d91a765f1f92bced45ef50eec343a390b361d894acc0a3250bca46cbc8
SHA512 e23b34e02aa3b3ad071e7d5a930636c23efded8e02fd4d9ab5f9b43bb0e941d36b895922d63d35f477a850769bbb049e69a8f0fd86e41d9943ee860fd44d9e9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 969bd9877b3df5af95bac5279269e4db
SHA1 a4d67f1c3727b68db145a60f0436ded98a6f5327
SHA256 646533eb56e20a575b6b343ebf676deb7e78f2c0adf8246ddcdb5cc74d0612f0
SHA512 2b76df1b7a0db90b0a352213b3c7cf4d3f1fb9c0415c07a8a4cfcd0752774e26d66aca079496102532b08708e52f83f74986a06481f194acc1afe333617933ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e1a25aa63c98092f4d0ea408b6e6552
SHA1 86e0275ea0d1bb171a4694a8577ff9fdffaec28f
SHA256 c1648f4f68a65ce847569758b5190fc31bf761e7533e54d010293b52d8165dbb
SHA512 afaaa90a359ff09055ae4d1fc10ecda0acaf08fdb4d14d016ee0673d6faacf9dee804c1610e7925db7e12480be9ec2e743784e6dc3ec25c89296ffb59601c5b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f56f31cd5221d366e38e3aa246907bb
SHA1 a541ab23cecc8598cd355a310f8bacb9c0230a77
SHA256 0128fcf02733c4b60f49aad7534b86b247ca7b5bdf23f7b49d5a9d490f8db1f8
SHA512 758ef2a293de022c532860104181daef029e73484609d21f8ba5827125c529c7a14618642744330ca1370cbe6cfdaf5b0b88bb40c8bfb8ca8f465248ab6db57f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bb4693bc93613379af7fc205a8a12c0
SHA1 9c4eed7d186fc4cf8bc57f52a296633fd2929e77
SHA256 bfab303a2f0582ab6d47a1ff738a6eee97e94092655160b06c07dd9bd02a5041
SHA512 1c4de88e0d1f56a97ab99a0077c2db21b77bb17830f4b83f2ca44b72846cc23f941349fb5a07fc22ad8963b06bb74f2e191c8060e3b9f47eecb212f9f94c302d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 500d1df792b75ef2c66e9c5c4a401bdc
SHA1 c66d255b1f1af13eeecfc55822c7a93e10561195
SHA256 20c7d1d3425bb4bd376b1e1c987ba8a7bcad6ad94bd739e5082750fa3fd5642d
SHA512 d222a712fd0b9fd01d29dc5c7568595698692473a012e9795aecc7c477cd911d32de5514f5207f10d536b973baccc464d182d11f4beb73e9173446693e1c5380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ba925a5f7d3d1d00deee82fc6a00e62
SHA1 dad21172ab133bde7c334976ea038e060db7bcf4
SHA256 364bf71ff2e46d9590b5ad71a397b343a14f76849ef4c3d9ab00d7b7096b83a4
SHA512 775b21e3adf0e9a4568f9f9dfab1dc20a83f4a7d12678f2a5de3fc9686cac3c2ebacae5a9f0c1fd56b120179e53a50046ddcdae400a50ed1dac5910edd88cdee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c15240f313eaa1bea987a740df7397f8
SHA1 2ed228fe30e765a46ea7b10ca3b031a4ea89aa9e
SHA256 094acf4836f40153fece776efa90f4de1598df73f940a2cbcfc507f403c8f660
SHA512 5940965e218fdfd64d3b839088f9673be08ca45aacb75174a7ba92d93b42cb4c057609241f9955dbd4198080800d72219a5df71d8a19634c1bd80a36bd7f370a

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2392110435" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8083de8e9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086482" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c8d98e9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d05a5489e56c74eaa6b39ab0831a11f00000000020000000000106600000001000020000000a60985d7d7e2a962fdf48d6a41f52e423b0e1d8ee119d220de9079589b7f8f85000000000e80000000020000200000004cb906446a977824c411e1d3654f003ec8acd79ff6954aa8d3672c318e1ead0b200000003df9a92444a54263e0414cbbd02f2d29cea6e8c0c68efc856141ac3181dd24e040000000aa3209624de5b59085d49db81b5f62a29b79c22b952449108bff0a786f5c1b04eb0b0e630a367fcc54862cbbd670e339eb235c0acbe164a4ededaa936dbbfb6f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086482" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B9EF7664-C385-11EE-8184-527BFEDB591A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2388359828" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2388359828" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d05a5489e56c74eaa6b39ab0831a11f00000000020000000000106600000001000020000000de026892d1194f963ec5c5837dafc21778128c79f0989f59e7e67c916ecd070b000000000e8000000002000020000000e52b343d0a9ad5a28f5ff51d26ea8f1ce4e2ea0c7f4e1d76acbc516abe3f87ed20000000935affdd2663d412884e9f7c0a746a4e3b888cc1cf14adb84a19e1134b2197d940000000ceaabde3ed7227d43718ab163876bc7f3e4929d5e3acd9b907d227865ca7e2e376d1b671fa37d32219108c800931e26e3b1f69e6d5d6069566c28030b7201292 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413833936" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4864 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3e14a0c3128270b19287fc1f35453b09
SHA1 edffbd74fe510d50ea310a152b78795423ad914f
SHA256 ea7284b92b3b0a8de524b65fc4f0ac16170db40b64c8007be59a32a48e689caa
SHA512 a9c6680f9fb9e79b16bae0093bd6a97cf37f76bee2a46eb9e74dafdcb4711002e00a47bd9122ff6c33f417b582f7a6fec4bf881be3aca8b6a9dd249e3d4f491a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7bde92ff965b73dc76190e608c2fbb93
SHA1 95547789d183bbf9ea20ef6ba4c6b2f0249fb30d
SHA256 821420f187b512f853c8b73d9439e940e6e04c499532561343a739717a9a76ee
SHA512 21406b04613e8be9f2036f5057d6d3de568ec1aa4eb6471cd457e70e6ddadfc3b988d5f4c2d316e548b21b2850944a78d75a44ec3bf929e71fe61fb6b0de4ec6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C34XGPV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:52

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\toolbar_id = "{6E77BF8E-636C-4586-97C8-5BA2C08851F1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 4296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4192 wrote to memory of 4296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4192 wrote to memory of 4296 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

memory/4296-13-0x00000000024A0000-0x00000000024F3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 568 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 568 wrote to memory of 4508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Hayden Panettiere.scr" /S

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\toolbar_id = "{2DD153DB-A855-4943-9FC3-3D5339F9B051}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3176 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

memory/3804-44-0x00000000027C0000-0x0000000002813000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\toolbar_id = "{81B9B537-A20C-423c-BDC2-EEFEA6FBDA49}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3068 wrote to memory of 2420 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

N/A

Files

memory/2420-13-0x00000000003C0000-0x0000000000413000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4900 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4900 wrote to memory of 1176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe

"C:\Users\Admin\AppData\Local\Temp\8fc63e8c5de9e771badefaa50cc2f7a0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\toolbar_id = "{9758188A-CD08-466f-98A6-CD23C520B415}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

Network

N/A

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

memory/1200-43-0x0000000002450000-0x00000000024A3000-memory.dmp

\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231129-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413230827" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8C56151-C385-11EE-8D71-5ABF6C2465D5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f1200000000002000000000010660000000100002000000072d03d452cb3ce51289623753a2a246cf84d09f05d93a871818ca0cc1a199caa000000000e80000000020000200000002b5b8dd8ce7a364a580ac7a687172cdc873e6b442c402fbada85a6ed9d7a8378200000000d52d30e7319930ec97f4057d9f40d0689beee5c550f839179023fbde3dc053e400000003c2e2d2e88333f6a125a6f0e09709fa01b3fae1a6cafb47d75bf5b55cc23f2c9664ba874f57be2186bfcdff8ab925fc4321c7a958c977fe41f018dd977de5069 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03a5d8d9257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000046332ab722508540bf00312f0a24f1200000000002000000000010660000000100002000000028ea46a7f39146961f5029e311da3657e600ef0dbdd4d4ae9a68105cfcbba8cb000000000e800000000200002000000053b201c4551920b310eba81a4bb0841d190fc42a10b1e901a07c391e9f221de0900000002c82decf527bde47c35880afdefa18efd8f6861a0c5c34ff8cbfc9562a402f7db0dd9025b63332c533b07bdd782fa751c995936b5fff27d536f01d02d412d5e2f68be620fa9ff181612f8ba36def54a70821999dcdc15e74364def2bb31f07f1122a1ac46ab525081ec253b648d88e87c760c12430e1cb54450218e1e55851276adbcf3058ec72cafdbc11c1062ccb5340000000d5bd4279ba99cbe292f6fa4be83eeeb4a40eed01dc69c3acf8fd2e8c0c9fbbdacd4c56af8d9161dab1d05dd332a85c9ef72626e4f4f17e034c3ea5d23af5acb8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.128.195:80 www.bing.com tcp
GB 92.123.128.195:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1E4B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1F88.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e90a56870e4ff8aebbaa5727a051668
SHA1 7e3f3709412e63c2f0c2089e73ae0ead63e15b6c
SHA256 a50db2836cc84904b7971dff02e8f3195b9cac787a62a2d78f539d02ed4686b4
SHA512 3355ed58d67f9c2a147b0ac33d3b77338dc1e3a26c53de9ea67c67414e2cb05293f033dbfa6d4ec7d1d4b5242db38ce10588bfbfb4a03b638a615f71003a9fd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8026719e75be4006d67e99fec8f1e2bb
SHA1 eeeb16248751257e08b14c9489db0ad9832aa91a
SHA256 76bd2c046257d72730af4251eee124c2c9b43aa1dc79c6e3b1f7c6794d05e318
SHA512 999a66862127d929fbe639df2f4b7a28646d37306965c55126fa01454574acc84c9248f2b44a2a7eb1f3903b494b21c4cf6eff33e128cb9d27695aac84074311

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 68f0c38bebd0b92d147225dd38d304c2
SHA1 1bb2eb93d279010e965293a95a27bc5aa6dfa2ff
SHA256 01f819ca04cdab324b838dbb1e04e6951c518a01453dbc38f8e0535294e20db6
SHA512 94ec94f0ea609859ac16ba4fdb842059a4247bf3893a08f593bb3293e411c58306cfe380556fc3d268397e6170f30bf16e0507d1f2bdc8804f2803950636e6d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85952dc15a7274b8ccca804f3296b6ad
SHA1 aa7658ce7530c3c789643721e18587fe3dfa6325
SHA256 062e30edb189d15caa5c9aae3ec418a1df1a83788bbf4fae63fc49ee546c6157
SHA512 2b06ba7fffa63a6dec45c06691e505f306ae394b14d662cf5fb5dc1ef273806ad645f9a46357d624a726bbe536b75822b5da64bf66186199fddeb809026fd578

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 128e18606b45078a86298ba761a3df66
SHA1 a17e4ba2739483045ca26a50bedd6ca49720c9bf
SHA256 bbb246145c195ba7bfdb1d1d279cfb7089d3f3dce2c6ff8d94de5401fa20b56a
SHA512 cacd80affcd67055a7a4cfe8b39e173fc5c9a8b4295f3b7777b53315c0f1f7b378ac61b8f24883cf1b0790fc2fc8431fdef3cc990e30a9746119c5d4fcd62e4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd51311a38fc02ce6a584c7a003c61f5
SHA1 bd54393683ede8151760c599027bba3ae098a603
SHA256 9b680d368a2ab26f096fe0ba3a2a0fb44419edc53ee63af780163b0d6dfd2d89
SHA512 8af982b4c45666b558b5ff41e370084e784ac1afeae8df25833d119af4f4bfbdec4a6f1fac0325a19e1ee87920d064f0a7481276917f632aa37fa6ff7f2bfe0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d14877baf77de92e62d5041b32bd895
SHA1 9d9555c1718a1c4d689091086ad8bf179a2fd785
SHA256 8d224c4bda3510c2c4c652e09c461279c7e87e575f96b7c9f636c195aff76423
SHA512 b7528a6e56e069a0513e02535c41378c5fe9508268e86bfbc91c9e572f6bedd27cef60cf6576222c3299f4d0314c72a28c4db2570d8d75dafe41c78eaad514f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8695b378e5fb45c148ff0ca74ee6b49e
SHA1 6417723a39a2378f161923dfabdc2f119cba78be
SHA256 9a2ba2961ce02e19d4c8b2fbde71338a6a769f5f423619703e2543da3b5017e8
SHA512 022bfda085acbc3b9a80f96913470086cacc2f43b8607df601d355bc1bbf84157a65452b872a67b824cde55c123af81c809420373fd5ce7e09951b54dc93b47c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0d2bae7c2f4159f04acbb496584baa8e
SHA1 b54446aa81fa00e859a58a97719aef62acdb87fb
SHA256 1b5a0b83e9faba2a9531f6151b40f2adeabc01e722ab8da4017f223a0ae70392
SHA512 b8f807416d4798ca9064c19bde4031215e0818c767d4e129ebf7076360c6c1c2b81e286e8d938c0cf395df68d041d70ec74dfc4298cc6b0ac4c7d63d056819e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b6a8bbe3d40d0e1ba1b1d4f6d2dd1ef
SHA1 71fc4ceb9fa1428d62746dabe75892b9414a81f3
SHA256 f974daf945d29316cd7477b18ae2aaf34eaf65a02db8365cceac1d41c1d6e583
SHA512 9de658bf631f118b7c0ac95c5ce7522961a17534366f09a3a6a9046f5ad288042fc789ee556a361c83d8c2801d1ce294551d247b3d864891cb7de9354d2d9768

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f2d76300486882f79fbd43ccd2f2aac
SHA1 5168c111558cfe733a9bcf080c47c73bf2e3f12b
SHA256 3edca5c78be651ff7ba9dd70d58814b203a81e24d1f518bbe1583bce58e0d3d9
SHA512 aee9004bd027f772114e02356a2869e04c0db5747f6ba464761139237774f6b762b3b34839793315641c8d861051b63ca282bc470467750d6c73620c76c192b5

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76b8de9fe4775b03866e1f2abfafd16f
SHA1 86bf4dae009752d8b8c0560edd25eab2def215fa
SHA256 33c478ec07f09d9de691f7d427946cfebd124ef2244994f0f457f80b121c5cac
SHA512 f9b40427fd2c68cc23d91ca5daed837a8ef32351145432560343db394ac4cad1e1bc76a5008f89843e3051d27d7a8501d02826845380104fa0a555b752fc3e69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 574d6b448de77e3b4d0719266cccd0d6
SHA1 a1da79f4f0acb3333e36d59c7cd949f86931b63e
SHA256 0e3a0599cadc4b4c51ad8428f5bf02394235d94574fe1bd8120eee87eaacc743
SHA512 1eca6686175606f84ceb30b2bcec7032dfd9ff4d151d98459d4cf73e11eaba2775bc1b1c59d3d5be5bbbc15c131370b2626e867c650d13639ab69643af2e9e3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a395ae3e030ca93ec5b2c6fa32a7a30
SHA1 3b97e292539e0c1f6fc6df060137f3ab2d962caf
SHA256 e230df405e6748d2104d7d44b8bc98475791dfa0e2925f0534c36bef4a01aec3
SHA512 064403a27f05e4bd70b8bd19b163c5375422493a0b5d31ef9f487e31bb14dd206ed73fc120f9aef5e880369f3cdaf1640c721009fda507ab40e0524f1e3b34ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b59f5360351db9533912dac55486861
SHA1 2da2a1045a1af3977985bf8d9973b2c72fe5f17f
SHA256 c00aefde1fb60dd3d183d3e71eea1f95cb7a302c0c63be07778fea386f4db631
SHA512 1e6e62e9528e10ea65800f3c3eab0d73cb294dbcf851f623a2e4c0e8f279afd650cd0ed98d695961a544dc91ef8b238137c364643c95cdfb00fb5437d5e67f98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57edd42f7fb19cd5e04d778f3841e2d4
SHA1 756920ea5573a99d7a6e1152c93b1e62c46039a4
SHA256 347bba5cf8b56aa2863616c2a8748e207982ea2129cea821795c6dd7dfe02648
SHA512 5227e7599d700399309a3d2c167d52ea9a98d3d6b1c51ba3e16c966644b775aac2523d92d2603723fb006f947f86dee8fc07e183bc6e96ccec36b78ad7a55e14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2332eec69f6a0041bee520285d271712
SHA1 08f6ee12fc8ddd49996376d6a1184d5b716d376f
SHA256 eb16b73b875a6fad18facc750e7e921a7c7bc30a342bc280347706cbfd7a7f1a
SHA512 3ace9ab0c4a66549a7400333e971e4c696f3d9ca06f3ddf6d28d2203d2fd6443d1065052945bf9c58762e6f1773b999ef1629391f84b66e377ec90aedceb83d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3333c4a89433230814cd5a0567eae9f
SHA1 0d5db3ef484fe3ce1da386964340d25745c4d08a
SHA256 179d883bc7b92149fe15c37357b8b48795f037e5f46510a69696ed4b93c1bc0a
SHA512 7b4b67ab9a8e3480e2fec72b363265a0eacbd85324b82febef81fb04d6c7e60317087e082f8cda8a85305e6cfdb7eef387479fa57b03f1014bf84100abb0e84c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecf2ae12973c70feaf1c46cf13ef3cfb
SHA1 4575ef9522e2152dbaca9d45cebc5faf44c759a8
SHA256 25bc9e258c0b763f882bfe210d3d5d77809c6c7a84ea5569b056f5e34b5b74eb
SHA512 210c6dee85b051df70e7ca63b23c1f422e062d59e63c05943b8b065ff2da34c3179b77404c4086abbeef0280af57cc556e5aad2676648054b0c1f717cae4bf6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea7af5b5bcfb8af06ac3aa2d8e6a782d
SHA1 68505e5d99117a0d35a59c92e43553a501f1fcc2
SHA256 b924d70f71e9fd7a6d558549091439e2cfd06bc2ae0681ad201114e691d16287
SHA512 96381169f552e5b3685380ce53106c13a0088a1ae1df641113ad5e113e122452220d4d37de664be34c46e6ff1f0fc5f1e297e8fb5646d2dd710857dafe7512d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4719100aa7d67c24f4d231a6aa744e4
SHA1 588cde15af49ea7cfc3e7420a0c4f8ac83f71921
SHA256 163271dca3f95b226eab879664bf8c28bea915639b49bcc9879b2b6854bdcd31
SHA512 c0b3b38735033f3c83780c4c38717ba9e6903f006d3299f1b522146d1f6f2daa01065e35051a23b82325e7a3f1e11200d2f13e7232bfeb37c1bea7a6de8c8418

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0cc1aabce4a8035854af0f383f46822
SHA1 48b9b8255ad43f236f2c8cc0e7b262e3b3617fff
SHA256 e4aceeba13407961dfb56508b38353d3cdc83fc2f3a043fbf9644f50d6b26e40
SHA512 0988f5760721531289e88ce488412b1a422f0055694a0c52cb6070b5214cfc78773be12d47277e9bedb336aeaf605542053d6f18f2f316d18d7066780c1f0c4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb11e8cd477a8546ecf7c64341c200b5
SHA1 a3406b360e9240121917fed6b3f9d8ff13b7665e
SHA256 88998be4d98015f349addaf109323fb5727029a13db053829df14fac150e2aa2
SHA512 a6ae95a438b50d8efa7c7df11a4ba1cbd61e7abf5cff455eb2cac0dd2d1aa3e1ea6ef199a384b906512429ed283f9d21a3cc3f4c2241e2d5cbafa6b69532a529

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 17:49

Reported

2024-02-04 17:51

Platform

win7-20231215-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb80000000002000000000010660000000100002000000053558477edcbdfa3ac90bb3cc85314090dd33a1f3f2895864155499372002599000000000e800000000200002000000044ee65f2ed95c2b194ab04e2e4e7995980385242d7daa36019ebc852a257940b900000009ff2d6434db0cab2764983ee21f398c7a608d391498aac79124790231dff170013cc1dbe7dcae194d8d4836abab7684305de6bd243958b1712cd337eeb14debaf56cee43e3277ea86996bdc39c3dd1175cc32087cba4a59f0643745a033ba858eccde29ff0eb1b9eebbf64a557a40519185436298a98cfacabaa84bdb432d9dae80580ad852e35564262c51bcb1b73364000000054f4bb4cbc3209a9e6c33858c2782d451e7a8a4021f54e5813d3b1a984f70dccb808d93c854d329704fe57332ac846b2314b05058fb46b15632b8df0a4753dc0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB368861-C385-11EE-AD08-DED0D00124D2} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413230832" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80fc2c909257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000d9e931e81995a88954f4c919d3669aab315557e611ac6d1a8099a3df03d3e769000000000e8000000002000020000000c9822d6524c6ee1c079ac4ce9d7ef91b5c505c8a0d1980dd79386dea1c0a1b3b20000000ab41d33f82108050971fef4e9d21aee2afa75153423cf7eadb8051fa3b1d54204000000083c43608b1f68ae81be82f692ae3abdcbcdb7ad89a82703dffff9e88619ff68f43ab837060aba04727ee6f94c761d37e0078d3a5271da521029a68ccaf362fd4 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab95CC.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar96DB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 396321bd06f7e79a69486ba2d60dce43
SHA1 0af8e6e2ef41f4345d59eaee443763b22d293272
SHA256 b880cfb65fa8ea22d66c59e2fe00d94cca3369325f8672a27c86f6c8cb7fa719
SHA512 8ea2a76332c4573d65de68e1ab6b7f84222429fb61cda68a7bc8a3d1f447ec84fe4e70b6c979d6a01425cf93f7d00e9c5af6c63b4af02bc1d2b3d833b356438e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40e42a14ae7597b42ea54b9a7660afce
SHA1 e6c0076565bd8813ae8541d0aa0590a5adb812ba
SHA256 5164dc572b85be01f9769444dfde9d0f257bd29ac8629336e28af22c9e07adc0
SHA512 d6e394eb62c005134e7f8892918bacc2d77074a019876feef388d08424ff741751bf2aa77046ba293f7a2c8a078a7212fe063eceb9ad32826a1dcbf630ced273

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c04fae9c21bc9f7334f2ec93a5e2252a
SHA1 f7588c685aa3dbe0dbfdb31765e1babe3b6ea812
SHA256 607fd75e3adb7740e539e634b742987f01bffe05508e2ca6dfc747235c28a830
SHA512 db411c2cb4b73237b3fc7134d1f3dcc32f2863421dd42fefb469752a0fea0d6afeda1e23f41b103efd1f20ad1993ecfad63d714506c7adae703099eb919447df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9476951dac89c14980ea7e1501f40d82
SHA1 6fbf7c0e660fc3a8c44dc42e8ab79884d14bb77a
SHA256 5d4212e1df680e1a772ec5cb1cbd641e8e5e054a7a7aec343ffc4126579f1305
SHA512 f81c25cc9b9ce8b90c413629d7f0cf288320568d1296f6459c66abfde7fd9e4a90c00c18906da36f8fe102942be0210e98e067ef88621d9ba08342917671e705

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5517188d2bbf201c03c67c80e6ddadcc
SHA1 36a1feca345632926076a15a92175758baebf94e
SHA256 ac77b45c715beeb19bc96adf3086dd8ecca96fe2d2b64213d9cf0b4330402500
SHA512 ae26e586431eff43317e05153813da1091f3cb9d85ccf5a0aa09bf40a03cc1960cce184378e40ced843c85bd8e5ba1baf92d9984163fe581964d4af53ca9accf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06caad7c5cfac70d45d07af79347263f
SHA1 19c5ea6ae6755f8f8bbd624a2596cc611a6d072b
SHA256 b91df4e63e683769e4b906a63ad4add70fbc12efe2a439d9199b02562a60dfe6
SHA512 6734586487e3dc8e9be69cff8e2a593f4a6846272895163f65b9b7f8ccbc3653b830b07db2fdbf656335c447aacc5620bb28e6cab23130a49566530dcbe43df5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b94509cc50894f92aa07d56d5f6c1773
SHA1 2b2abd274e524df0f35ac481941d33af3219f3fc
SHA256 f79756fb49f583070359ce0b91b76e75db1af758f7682a8f12022c0dd0f0aaf5
SHA512 d2ef3326aef7aa975af6a82e87c10aa122b60d2608e0a846bb50258e27f50545e5b8bd596ef0c5f6d00233c447d257bec2c82f416912d57182476fea9b09e859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71fe6b1e29479356512d791cec89bde6
SHA1 dd5e508b01fff15702e8f151d47e492d1d7eabd5
SHA256 6eae347661ff62b8283b7bb9d1e7241ffee909f32b9cace3d6e5a222ef6f620b
SHA512 e7476f2201f7f32bf43203e4aa3b4450837342681dfd5ac4b99524f1b238b135cfad939f0ab53cab9a60d6b631b5d812f7e891a301a2d0c2644d99d563f44cec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d293ca8f5f728ce7b4967ad7b52834ed
SHA1 804c3d4160d65cf123662c786b77ac203eda5dae
SHA256 a87256be02bb59341408cc695b4b8de03585c96027b18436e41f5dc434c8bb01
SHA512 499d4b6be4d4b14b4cba67b5036ada93432b0d0b39726a088a87ce6813f6fa0ca13ca7e8869876fbc0dcd2b4ccd45ff16c5a940c81fbc9422e81bf41bc60b276

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fc1839727974bf4151ab64744fdee37
SHA1 90553424d5d83626dd8c0d03550e6539abf75d4b
SHA256 997cff7b27eaf7292ca58c8e1f4a828f9ffb402830d361bc3df70de3601a7e36
SHA512 4c9cda70e1f7e2a392495d607868eba6772e66fcce2f20d8b92c9ecba24cf54f89f89381ad6e021f6ad0e231e7d8d9d8c7ad98bd3b77cc9777251370fdb944d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6630b03e7ef55cd1136cb151294555fe
SHA1 3617a5a4a39fe27d1ba1d17cbfef215a0566abab
SHA256 166724714f43b3808a787d35c08e0f37c17b3a34dd099b37825231d245609daa
SHA512 c6fe522e4df4010d1544159c6d1802a8edc3a479bc5586f3893ea7ea0bf619daca594afee682aa979a447fcbdad01d27d5458a0d464cc268e1ae74bef0407495

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c989e81e7323715c8275c394a22d4f7a
SHA1 92bf56e6073ad58448637260c7a2e35df9bd2f43
SHA256 ad529ab5a2d47526ed4dc78f5fe9f660848f8d6e55a0359d5328792f351c7b43
SHA512 f979cadb2ccb7cd6847f97b41cecd893634cd050ac17fbd26bc4144e97cae3ffb973b11cef37fe034e06e81b5b25d45f0a6c68e766251ab7b5d2f3d0d24f46a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 586c160ae606f5f8f3ab9d67913941da
SHA1 478906b97bbb1f6c8998042092b5d29021a66051
SHA256 c754f5ea82e14e29981cfd68d363582dfe6bcb4514b3631bd79b52e84a87d534
SHA512 a84b894f3ea32157dcb285c27c8cdbcf548345737367276add8b525a0c71efe989f8868459bbac70598fd4687cc122b028ef08edbc245226ceb432343aa62cda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc77cd2479db57647ed16e8ede1fdd78
SHA1 0d6f8fb4219b1e1a866bbf3f86242383a606e23d
SHA256 160d32b49938154b2ab80eed099d66f872046b86f773dc4a0dcedbd67c7d2fbc
SHA512 1c944a2a6264146619127707684e72d0e8f5cccc6c062f3de517348ea1a893ddc34b44fa9a70bf5a2b808207278c6d78650f95727a47291823acadef22cae357

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 572bd8a47bfd461318bf2a25ed854a10
SHA1 1edb3ff560a11d12a2f06154c714d3a233c8784a
SHA256 06838e60e1b528e501ce75e57c06c8effdae8dfd211ede24327d2deb6762c683
SHA512 ca6cce2b108a79e4e463e4cb1a0f663ce360ed132597ef00ace8e2d2f0d2fd9afeb3858dedc6513175ab400c4cfda9f4cb6aa3bf5ad2f854cdbcae21cf135a42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65c0b4cb3323992eac2e33928aa4d881
SHA1 74f20d6702c1fef1db4d324e02200c368d11a931
SHA256 4e2bed4eca98976a0ec999184823029295ea59e4caec9b8e7d49f508b81f656e
SHA512 d192af8e920d707cc030c56c0964028fdfb8bfa84ae7f40311f1e863c9a5f352e2e85404c4b57c825587fd1288aee1378bf0233cea5773d72b55d95b42c5e69c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a41d04d3cb5349ee56b005f58005cc96
SHA1 bd148e790e6ab4b1f65ad2b21ae283c8a35dc2d8
SHA256 7678785eac2bc0754859a982dbef8466473986c5f8b34f16b55090e5f77fa0bf
SHA512 8fe01cd94043745b728c3b2f26a5ba1d8f7081434a28d71475c0ed5437bbf5900962eef19a2d1a9b21cd92289570dc6ffe16709aedbd648d6190177ae3f60404

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 096ef6a6f5e197e95302b779d378510a
SHA1 b547ce88d7ebcfb98a92256053a2f93c13c4b9e6
SHA256 8830e06b9e6fd4b3ddd1b924b713c0f500d252072bd5a3f52a35fec5aa17e860
SHA512 4c6ba55d10abd40f0df6e5e7cc6908a898c0ce94769c5228dfdaa416ab5027e704fef6becd651f009990daa80cf948116e6655f6d31e141f9999f99d26ac7edd