Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-kmpkvaed6x
Target dd96cdc200032ebf1d6816a5e56972e9
SHA256 978d2678485dbc70ea11a115a11077a277974e8132c09e3465824fb637ca0ab9
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

978d2678485dbc70ea11a115a11077a277974e8132c09e3465824fb637ca0ab9

Threat Level: Shows suspicious behavior

The file dd96cdc200032ebf1d6816a5e56972e9 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4464 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4464 wrote to memory of 4868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

122s

Max time network

136s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD4BB1F1-EA83-11EE-ACBC-CAFA5A0A62FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417518076" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000001565f6979d33e0404b261cfcd4cd5adf5721aeb4c701504a00ecc7de41d812bd000000000e800000000200002000000031f9e6d321485ef3b447fd329db8c4b46e3be0371a08517f54b27bed2894b61c900000002509be40efe2d2b30b220150d0025c8a87b5b3bb8b2891d3768fb0b76fe9e927b2842ad84013ee81572ca55f8454a67887bd72506e719014e6a4cfb82232d16c64346369c36ccbc1eb0c4aafbc156427b0552c697218292ad8d369e6ea55ef5de6adca27d378e41ad92d8a74480e9219a162ca49297b01f75a7b3facad731a1bf6f3525e812682d1ee30c146806ec8b740000000eb9b11a1ce015a1c491ae8ec66dd0e959682d3de745d8634f2da3ee9b86a0957902c2ccfb6d199f7f0e9a342bda42b4baf9c1db1bc7aecd815cc44a96abc6565 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d182698a4727943a65bc6c9ecfd0fc5000000000200000000001066000000010000200000007d5efe68d517299f4f005a375c0f098ef0282344c60069c04fc87307dc1325a9000000000e800000000200002000000052bfde5afa49ba64129912847a10401dbeb8a4a21675de9e535944bdd3d3a1f320000000b1759daf432f4c74be639d3b069c401ecba25677fcc58661122b47f46a4d360c400000001a16634676cffc6af625496c7381eb4f814481775c99e05cbac5021cd7f05ae15326ddbb0d0753b63a80ade24b96ca4aa001d0827f29c90d105acefdeb5ada4b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fa7292907eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab736E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar7549.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0119f2212e7ed6e3f93be8ff352ec4ce
SHA1 b8a6079ea35dba2e2cf90cbfbb9324704a754b9b
SHA256 18692144afaf720b8b0c46a0bbc8794860ec961f1ac6515c96297231fb85a9e7
SHA512 81e3299c4923ff5ff9edcc184010348f80a5022293ad5e797e13b1a39995b3ac971a79eb15282a21e64dde420d18ef1407a97c48497cb28663fa9a395c60529e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b71f0e20a07b7756d94ac664f90bd6
SHA1 ddf6f0f03594a509e05ccb60414beedfefafdab8
SHA256 418e4507e5412147bdbda2952e1b27fc4cd8541015c9924704ce8955e6631a64
SHA512 36cdd3a6191e1e00e837d184a0dacd990f0166b19732d9d78b4af2efb4eb4ebce442284525018e34a2dd574c901d15e557ea12c738dc5c8563c8a63b0f9339eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7dae1cd98a132f7ad50c267185f98cd2
SHA1 31fa5d25dda2942c8bcad870d33786a126d73e55
SHA256 a59cea603493853816ce48ebeb0aab63c6b29700f40fb48aa238b7a8d1086f9f
SHA512 98ce2a101ea6df34f4adef135aca33e2eed46be954b57f7a087c229284cbc3fb4d6620398dcdb1c4cc4b9c2a226a72909f0eaaea31092ed8d43354bf74a28dc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47a9b7b1355e2c8b27b5fd760dc53d7d
SHA1 2097228e2a4bd09ca5f313292db9d5627920f374
SHA256 9012f33ea860f5f8e9650f656ff495faa3aa60191c40bc5ad7526ce2060d4b99
SHA512 033cec3f0fed545cca2d4ba6fb1f8a68d574410d3be2b723de8188b4cec6211606f17cc23083a4658010b4dd599a927bde002ae487216029c1ac02839bc1398e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 708563e4c19f63a151cfb54911a86827
SHA1 a202d9b2396deb96bad3f118b0a8ee9ba43aebd3
SHA256 8b7a3ef1caeabecfd7170763b480aa2caf58c4e963793a8cfdc3c73d77928dbd
SHA512 2a151a4c5611ddc5d10c687b007dd302b1f6453e130e9bb39fd8cb04c0d38933d8b9ea1d601c6efd05c4ac5b9380d9dc5bbceb8466b9626640d173d6b9fe9700

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0184058f0fd1a013832800d57ebf9de5
SHA1 508842562d86473eb358efde9f14cad511a9cd72
SHA256 7caa4c7358b86772d0759582a86565fbb2ae07b6511c0c5fed2b55d7ba246296
SHA512 8238086792dfab2898c80639bfa1fb6ba1563d61082d17098de9675dd27bb29196fd9ca2e8aae6a3eb70ed522e7da1e598478f7e612afad2948bb82d470bc1b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ec46358ac54561d73bb88fb7ef69d23
SHA1 76660ec45f6aef1fca23b82f466892cd87136b65
SHA256 5b064d7164dcafd931a8f8073b388804390d6e153cd0bd01fdd77483f46363d2
SHA512 ea9dd71265c03ff283d07272fa522d4c871ae396ce245877f7774237b6a8c58f8cdc25ad5d3d82b261ac12b40a6d6881ef483ffae9a761079278acbee2c63a70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8d9a23951ba912b3fc46a3a02c2b59d
SHA1 02f3cdd4ce24279cbc8deb187a55236b82af932e
SHA256 11ceff236d0a4e01100a615404e826a986324f4f7b52627cfe8a36397ee50132
SHA512 ab6e1ef4d7d58f80ca723a8c52bbf4c1597c944f44276561a949c2c0ce09f7d4501c57249cff821e9167a1adef3f62b2467acedf0890ef2a6bfb4170a393e449

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5adddc42ec42459049ee87fe0e26ccc7
SHA1 a9cae18e5828e3d98ce1b0779a4734ad105e0646
SHA256 80c67218ffdf32cd7fefddf49ccef0c754fc4a3d8abec92d59fa20a4487f7570
SHA512 546b844e7f577338ba360b7c1ce5beb78a1b6de9a1765bb30a827528404f777de28f6278b3a7372571dd8838b4f77a39c61c5c2f1a6d8de69a531850abf1a4c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbbfedc8bc0794180608ed6897f45ff7
SHA1 3d472705b3cb575ab65e9a733814a4e8d2687f88
SHA256 4436cd1408b32f0f12d60aa338cd57d74b311320e6c96165570afcd0c76ad8e7
SHA512 3a2cef691f925f2b0475441b8f2a35db53f6bbd711509d696c487635b573d360b51c337df1dbf714b2b8c01175beb4320a99d3cb8f09f861d50e13fadb27b297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7526932553c6e691e587d82a182ebf65
SHA1 78834fb37328ab2a9224d937c4c939af144b274f
SHA256 567bfc9eb6ed8d9ae804cd8faa9b28d5f3590603e21cc0149ba0d0cbad9686fc
SHA512 0c04e9ea607768789fc7ed0910b7983d3bf7ca309a25e6ebebb3ae0b493f6172656f700bfced04d9eff796236470a500683141d14165044b4fa291fa26e6280c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ec671e62bbf15de018a789595ddcc82
SHA1 e2669197564d13254ebf52f64dc1382016b586c5
SHA256 3adda70d194782f54bb7d006a7aca9f633d1b963aa92b39b074726e6c15e5208
SHA512 a2aa395c88c8d6ff171a689b4dae165acda82b21f6ddce85716ed33177ed30bc450d6b15c474dcb9b9345ae0e3d435bbdc37956380999b953b580fbd9719efcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdf935a51ffdb35975f307969d28b1ee
SHA1 56a2641794585529adfb1665b8cb5ddeea320c3a
SHA256 0b9be9881dfe4cdc5c54a73545ee19c741882473f6a2cf1b51a7e4821ed148b4
SHA512 a88d9cdf550a061fc3d57222d814794c09ca87840a6fd5752b52e2f1b45f859e72366c4277a527f521890f95513efa71631228b97f79da6833f48f772924dd56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcdf07f42fd2376215bbe3151402e43a
SHA1 54369d4cf7216fa92071a8a482b672a8680957e7
SHA256 231f15e1c983d46d48ba736dc01fff3cab7b1ccb42b8d8341331b2b26fed40ff
SHA512 6d65e7d514dcad9187d7c996d00836ebe4c079ac2b7ca7bfd4c20e709905c0a2b01a0dc8e7b035661ece75c38aaa1dee3024c3dab0b68418d33d31503f50061a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2095c369611af2d2eafb5beb7a49fdc3
SHA1 3f29b0e6dc8063439a3919ae68320f2e8380211d
SHA256 bd195066e32d79f255d964ac99cc479b0d54c683fe69a3718af43f33b911a8c8
SHA512 ad725c29c391a0aa2d4cd8fea25b60cf76275bc7c9ceec03f8a8bc942b0ef4a0d26e1ff397f1ac2e29d153d8a70af57cc546606ac82cafc4d7baf8c0778ea231

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 1388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 1388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1736 wrote to memory of 3864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe36d246f8,0x7ffe36d24708,0x7ffe36d24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,625688736795640174,10596293917124498029,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2992 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d6e17218d9a99976d1a14c6f6944c96
SHA1 9e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA256 32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA512 3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

\??\pipe\LOCAL\crashpad_1736_GEKDTSSAUDHCVEXH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c129809b87c3fd09da94f73c15505e9c
SHA1 bd5ac532ea2974fe6cfad186593a15fa472a3d0d
SHA256 0f89d5d73d6b90db3703fe17b4015b09702a8753fb77e68046b4485ddfc5b909
SHA512 2cdd8cf6590d5c9520f9506f8ac4d8aa7ee40a532f59c23bd5b397214e33352a4951f6ffbf15efaaa3dc445a4ebc6c098b585ab36f3b9459d0c08b324cafe415

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 73fea04fbf8b450f502572b86aa62686
SHA1 b428485bbf101415297d81e49ef9248454670b52
SHA256 87d2c78b79866c957f61b37042ac96daa1d9c77b2d55a5d9050b9ee78797a8d9
SHA512 8f130793756e7b0bfd73e5b5a2c1d3edcb69f64a6407ec4a4f6271279644a7d3474e4d5cc532a4e0e79af57c655cf895755819359983eb76c1fd5b65e5e5d787

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 82e6389606591588057cea33632021e7
SHA1 2c95e147a559398f133984d5c852bcb03c6b9f66
SHA256 b64dbca2a8ffaf654cdce35eabd055d9510abb28f67cb9e2382cc715d095f75e
SHA512 a4df22ffddb75e8692e2c3508122b4cd412ee088957315cdd20e903717b3d0ff1b75237bd5af8b926f14c0238ae15cc2b7aa8b80c0301b71e06b7961bcafc8db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 c2ef1d773c3f6f230cedf469f7e34059
SHA1 e410764405adcfead3338c8d0b29371fd1a3f292
SHA256 185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA512 2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

137s

Max time network

134s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417518072" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e000000000200000000001066000000010000200000004df2cbe28181519850cc3428dd4c981d803811987243cdab35d44d9064811176000000000e80000000020000200000008d8b3f4b51575060061982adbdb6cfc810de15afc684142ebd588db4042bbe022000000049f7e5c9af6266a08445a4b3031662ed34886b0ae2944a7d040b384a51a7747040000000740a8be2529b53b0844154bd2754ad3df0cb0fe0e17036539c6ea990a344f0d9dcb51e8c0e29366396a74f09d30fd4252f285e895200d5cd8b36a4c8f0cbcffa C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e00000000020000000000106600000001000020000000d037d0d137886ce168c3a743c4e2b2afa78b3500ecb99752ff8841ec2b9612ef000000000e8000000002000020000000d0c53da46f98e7ca91033dc45175a323629ebc84bb725cfad7be23f17816c7649000000029245ea9d379530f462369d7922adcf3d097e88fda3fd77f30b043287f7d144ea2727a7af0be7cac7ef062086d4107ada79ac81fd92fb2d82b2e64fad049e9817881b97ef0d6e3d4e92ad4ce183cc56b322423207443ace4220341aca3adb939d502e5f1fcb6a1a6078fe190ed3f8e00bc373114a28e04fc7b572272035c8103965faa977c427f9b6c54d8fdda99594c4000000028c3a2ab7fe51cc24ecce5a680b367d1a387c7b0176b9e79428a5d2fe23715e2d379b07819c90ee95e3531ff6c312885d7a6170a69207e9ca2ad1eb4f93eaf1c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01cad92907eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD462411-EA83-11EE-9B4A-6E6327E9C5D7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar944C.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16537d44855882825436ba396fc14295
SHA1 642e83a703aac0099a3d0a05711d830921ef7c29
SHA256 3a169c8757848917ee30031f0d66a1e4953537a27e75a68131cb1d96615d6d07
SHA512 6ff4e792b35dd394e04dea1a6bf348a10e726d674d65ac4aa0f63f1b9eee85e16543746535e71193f0d2e524f0c555c6442e32164ff9406c831eacb6805ca5b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cda61284ed0ee5b51cb5c83a1e590204
SHA1 c57f07513e0913388d5d753f139af79d4babe9a1
SHA256 cbad3ae2639f45e790aafa4b76efddd67a6deb5ecb587e0f33c26cd562c98ca2
SHA512 a2f19ef6034c361d891737ea40c424ff5094eb89937c4371eccf81938b296820d0a64d172d6d9ac2fdce473a616faeac761d1a22a0e2275514faa850f0d07ec3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 863817cd355d9f4a5f3a7057b5c4543c
SHA1 4164f09fd1e5f37ebe128a96848f69ddd50826e1
SHA256 a21f474782f1bb51289551882992cdf5dc6e139e438e4e251cfbc6b78e5cda33
SHA512 92f93a00db81f911afedbe80a868c226abc226a0c5e3de88f2f4295f24fc34a129c1a126e2ea013caccf900066dfffeaeb9806dfcc73dfd4cbd508863bfb6d3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d7a8b85551beff8d919a400185c5785
SHA1 51d8e2c946f32ba71e9b7ca0f29f342b413ff869
SHA256 044dfe24a097caf75091239c32292b94c6ce792770d1048c67287951bfcb2fb1
SHA512 b06003050a4f1704f2799c49500a5129832f564117daafc145fb90c4b76c6e04c1b05602138765579c52b5a01c9f7db5af44cca77bb5ee33c7c31c0fd46516ac

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5308 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5764 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4888 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5536 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4280 --field-trial-handle=2252,i,3429015581403167983,2708022432612919502,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 92.123.128.166:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:443 www.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 166.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 88.221.134.17:443 bzib.nelreports.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
FR 13.105.221.27:443 edgestatic.azureedge.net tcp
FR 13.105.221.27:443 edgestatic.azureedge.net tcp
FR 13.105.221.27:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 27.221.105.13.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
FR 13.105.221.27:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 172.165.69.228:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 92.123.128.166:443 www.bing.com tcp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
GB 92.123.128.185:443 www.bing.com tcp
US 8.8.8.8:53 185.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1948 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:46

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20231215-en

Max time kernel

100s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\toolbar_id = "{6D6A85A4-4D28-49ce-BD98-0C114445A686}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 4544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4576 wrote to memory of 4544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4576 wrote to memory of 4544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 128.225.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4544-13-0x0000000003020000-0x0000000003073000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\toolbar_id = "{C7925D79-51C4-4d85-AC49-F3B97197E3B4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

Network

N/A

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

memory/2656-43-0x00000000006F0000-0x0000000000743000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\toolbar_id = "{082EB56C-018C-4c8e-805A-4CFFB27D0A25}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

N/A

Files

memory/3008-13-0x0000000001DA0000-0x0000000001DF3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

139s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d123d20632f38151cb5a1b0265f28810a76302a1cf76d7fc2226c3f60d351f1b000000000e80000000020000200000005678e6a028241ca22513a107442fe56a2a15865612be1b91f40769cb8c0531a620000000cd5269c156105774094228b9d12012b677aee7ebda21a08cc547b1c6b056646240000000fdf7b6a0019dfb77d4c5221685eeb8287bb36b11754293c85048c69355466a099347e3ca093f46b2b20b0284938db651ea79e9d68c8c4e72a2e42e8098b1c247 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD3C48A1-EA83-11EE-85CA-FA8378BF1C4A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0cce991907eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417518075" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000f1fe6031764fde2e6e8059a4811435252084895918bde3a5e6d52464ab74c646000000000e800000000200002000000051b7ac46938bd5abe2d33c6c2a10b4b9e1d7b4e0c8e2358f0455dd80baf5a06a90000000341eb68d5c8bd72f617606f3887a54cc61f0f4daed3c9df54dd5a5aff6d245195ddd408f106d62be99db71d450936b70eeb8f912e08cc5a72760ab688ffa6c169c07eed54a392bb5ae603e58a44d3bf134b713b504e91f4875eda9f5ab74f161429b2fd971560a12b80a8693e80afd8c99c8be59cfdd7cfcd6de63c679e9e8e718f6f07499549305eb3142dfbc440aab40000000fe6baf6bd160f9218aa2773a252cb04c23fb4ff8f6d5e1fe14441a0636a3f66f99da9e1213f1b2546a7bf5d9d4be73fa86f6b33709ac34ac126befdb9c9d45ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1404 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7F8D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab807B.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar80CF.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4f8dcc33a3791cf473f2cb4e12585c9
SHA1 9e91a9ad7e26786fd977795a9c88d675e82127bf
SHA256 fc23a716709673affb713aa5f42e463248697386a703a097b99948ab05c7d3be
SHA512 abde818c1776d8d757b7cf5af061e1cbb8338c96f16e5c1605468bdc265a9ace22a144a23f7fc7fcb02cf13e21d61244f334e56883a88f9b9885a00021f50f49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0028a3b12a9138eff3b2f91a97df5f33
SHA1 3ac09622f02b91eca1c7cd6bb6ffdd5194eb315c
SHA256 5e951a3502d00404b405dc85c114fa6b5a8909dfc2cf8d6e66bda686293ce48e
SHA512 eea219e8af95a8f185c0d66281ff345f396c150bf878606533cb05b1d1598253470033c670de5b269c64173ef3c0a3d4bc00e734c9cbb44fb89f646be89eac43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8829a04737d7a8a0a873df8d05dac3ae
SHA1 d9c96bb2d557e4b3a8f58e56d8ed95b3c23b4c92
SHA256 0deb40291f6dc11e61740056ace45ed2aebaa6a04456b4fc11c3f39b417d171e
SHA512 47ca7daaf8b261e319f8990fc88759aadce8883ef4799139687a739011484de89e022727665dab7f3361138237872845de3cb636d1f2255075d6276762742688

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b19812f89ab5712950838e03d4885a90
SHA1 5a6e32ed42d34d2a1146eee38cc535a9194e427f
SHA256 395d7f0afdf15fd23ef9c5c490e839f36335cd18864fef8148da30230232c396
SHA512 d0ac3085fe93afc3cbde5f80867e751ea01740dde0e199f12b4a1690a73b98df2311d2be3e96a4e3bb654d020d1ee77c16309a34f994729a34429b745e51f089

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85783a6d47e8299f4631a82f6e30260c
SHA1 65881c9fb9f4cb42e368cb63e79d3133cfd93d9b
SHA256 fcf9d372c8cca14b7d2fd075b0fec71f9191e4cc9019d95f29a51f066db0f7dc
SHA512 e3a06c9efcd2a587b79d0ab1f7d3387d05a11ffc1c01837da251dad43b72cac06f99abd9b025042d80749db554e76b2b85ddc0d0a52bc967d605f82484835d58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1522377a2a4cf83554b088ad31faa44d
SHA1 d65cf5bd1db574f1e27bfc6cb6fb2855c85ae6b5
SHA256 5f30725f0047b63bfa10ad7780f807b96efe5cdf162619ea2340b011b5c69f88
SHA512 d9cd3981b5e43a055069177fdbf427b88f35416b07e752a752cb966af47b4f4d708f68400ffed94fb934f7920aa6259177038971434d83752d95d693c16e92ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a82507a3225c6c5b7e5d82f0f643f889
SHA1 b2b0dd4e7d1e46bc6cb6c05fb90a32694cb601a5
SHA256 489298499ab2ae84ccdaa4af778ac8ce026061332adc209bf7cac323db70accf
SHA512 aa76aa0c439239f2ba178a1333179887b8a81602f197c32db7cd7dc5f01fc3a6b2276f5e1430c4dbd77fc08c3ffe3345c5e94f059359b7762b25385aee8f4940

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 842a1345d9c2345024e007348ee65aa7
SHA1 a6055c8ff09c8d229a584aab188b1796a6103661
SHA256 69261076c060eeef927bdc5696a1caec15709ac871ed7d11348cd1bad95d1384
SHA512 29ce8184949bc94a031d57e6ab46e640e82fc1cc571658dfa47e69d7c16ff59913f109b2d0813816f88b73ce06dd83317ec3a4500ef3b9dfebab4d01edd51637

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f6a51be7af13d6c8b3b89dd5135047
SHA1 7d87bc7c42b3d0bb2166c55fc93af6c73ab05c8a
SHA256 23e55b95cfef41e1fc1cfb07b5c98d44b10fd69b5c9d180774f3b6d813601262
SHA512 fa00d4e0504db882e43d7a11aa94ab4ee1e92e95c253ab2f6226fad9bb6a5295b1ad4d39e28ac04b443a9c244ec6a72d869a1c8131f71662350619c30034e1c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d169f81b3a4f03158385a7fb923ad5
SHA1 715941037b7609506e79d1c9813bd558b4d5daf9
SHA256 509bc4694f02218860516b45193315acf6aa715b39c43d5685932cf01829e3e0
SHA512 87c5f7c265f936e847ec95ee2a5f883f6e8683e49b27629b238f69d1b5b02f5e478ed81fbd8e5bdd5002912aab8777c7e3d7f15a250874cb8fbe7591cab71521

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ffbd902064ad0a0c1ecf0890bfde316
SHA1 74f3554d25cf89d6c6aa3b2324a80e1df15fd710
SHA256 8fddded3570d9d8c7bc8f60d0a95955029239eca739b995ae1344c26eadc73f0
SHA512 16154332b9b2be6ac07f2c835e301dc392a0f914a9153b237ac2f3deb319329c9b57b05ef86a6e32e6e4e5dfee38707eb3009cbaf5f88e2b01e003e6f9f784c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7681ab21cbfac5cd960c1357a52acbf
SHA1 a73de15c2e73ea84c4a8cbf25b4c753c0a7e7093
SHA256 7b77a3b861b2dea901e9612f96c2f0c1aa3bc280153384c34837822561197cb8
SHA512 b2304fc5c976083da8b813502e4679ee6b4a357bed21bb17e16514ce52a189fe7ba31f03be5aaad01cabb6c2afb4c5159a01e09d50e51c052bea4c20c4b01677

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79b3c7af0252e0ddf3bfcc2982154ea4
SHA1 26c6506fbf71848876d6d52b7178c9dd511cc87e
SHA256 c1f45943de71faa2fa2fee03390841fdd430f471d66159a112e744e81ca9b183
SHA512 1136eed0d97f22b96499bbebe3b0854368164de7444b48fc7f82b67514c0b0273851c3119fe05a855f85ec3acf74d4c5125641b231d832da11146f36473b2e51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e283a074b985d6b64f10e515e1d88d21
SHA1 88f6fdea4c7eef9011c97f8e31f970435cd2a344
SHA256 69d9daba7e530773b1cb2f4e7866aa9deb87aa7e9b457d1a7d56541e697533b5
SHA512 b85cf6d8fd9fe9446093a964aa60f3087fe1063e1449bbb14a44c57abfc48dfa1f15e022f420d40120ac121a8a4f8ffc955d55ade31c8135597dfc85451b26fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f1e945e39b74d62422a85ee9049fe68
SHA1 f85d83c2775bce1275bea869eabf06cfb737637b
SHA256 9c520b1a8945f68e0da29fad40c4b230980f314d70d027ffa446af5f30ebcbb3
SHA512 a543043a84ec3a0847baa48f0f63d47849a0098af761cefca3edfd6df757f5464a33004935dd63e6705e3cfb2e4c9104d4ced6af8c972bfef20f4a3b85d95c6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a0114e0c38fa420d90dfb8eb9caf0cd
SHA1 1b51f75cdc982b353e84c9e254fc61fdba7140fd
SHA256 90018db4c31b92c1c97435cdfd2e0b789b75a0e65f45ce3f85a797b336f62e11
SHA512 a31206bcc0693a721846977aebd4d17f370405867ad9c218a322a8ac65eb4c1e29395b72e52ce08800b6733bba22268bf2498039b914d234b6005881d2b8cbda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da01813afbe5ed4f2c024b53270a23d6
SHA1 e1bf873df7f2c88a7540b403960ab83c16ab3f0f
SHA256 8e11806064aeb1b95e9c7d10b9b6f03fa30dfe188a0508721656e9f1a375deae
SHA512 05161f237e89082e0a824dc456333ff37c2e7257d0c8c2dd91b7896a1b48d5d577dbad626ac9410a4a138a41b7aac1c9c7830759a6daf8a5f87e56756cb7f500

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 6427a33c88a6674573f74ac2a81fe540
SHA1 aa0f3a2969bafd9b4c463a8e7d890e6016b47b25
SHA256 358e8a4aebb20fbb4aaab80c56103090653ede43f20f31c1deb2d12406f9d869
SHA512 9ea812c42191716d35e35b5acc75146e9fe264042450ad74af15e1059c41d5127801df6fdb7ffee351e858c514ccbfc709233ed981028d62e669ad3c7a892f92

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe

"C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:46

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\toolbar_id = "{9293D482-7905-4de8-BDCB-2246B5A16DB9}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1740 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

memory/2124-44-0x0000000000A70000-0x0000000000AC3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 2908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 1372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1108 wrote to memory of 4240 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb0d246f8,0x7fffb0d24708,0x7fffb0d24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1456 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,607705102719621729,2593660242244802510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5304 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
GB 96.17.178.173:80 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5c6aef82e50d05ffc0cf52a6c6d69c91
SHA1 c203efe5b45b0630fee7bd364fe7d63b769e2351
SHA256 d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32
SHA512 77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

\??\pipe\LOCAL\crashpad_1108_NSHJQOFQSKGJUIVD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7c6136bc98a5aedca2ea3004e9fbe67d
SHA1 74318d997f4c9c351eef86d040bc9b085ce1ad4f
SHA256 50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2
SHA512 2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e8185d326044b0d5e7bb5e626a166c13
SHA1 e955c7323707f1638f01e74c936098ee1fee8a89
SHA256 0f5c005e13f2acaedac8ddde8f5eda1d2686f21c5f22d298b28e1f04ccd14b11
SHA512 fb33c55b0565250d5829fe319cd13c4b83b7108306b6c318119758760e1bed43ba5414b832ea85d76a198af56d3a6163d92e08b57b480faea5289b2357d36b8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 523f9e2e476d53b16501b81f15a7f958
SHA1 cb14725fa297dbc7f206ea1960c1cfc7cb67dacf
SHA256 631bd17039d7822864ed80fcda407daae5a6a3e93642926ab0073929ef68269e
SHA512 c67cd848f617fc8ec57a69e83a0bdb1e1625d685a026a88b7b5d6779dad8eb2ededab2b08b2476ca75f8e7e432a8b0c04604f3afd42fd366187f1f150428c28c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de0e087b53593869daae949547822381
SHA1 ad05f405e92552e11d5830527424351499b29ed1
SHA256 66368f4120797aaf5382fa7fe0a5cdf3efd9419d0dc61046e00c7239c7397b83
SHA512 ac65f9160c17aeeab060772cde993bcf99e34dab67a19054ef8748f006e194853e3f3adc81d928307e44ca0e19cb0e0d9c1d6094061510c71eacd6d93f8f0d44

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 6427a33c88a6674573f74ac2a81fe540
SHA1 aa0f3a2969bafd9b4c463a8e7d890e6016b47b25
SHA256 358e8a4aebb20fbb4aaab80c56103090653ede43f20f31c1deb2d12406f9d869
SHA512 9ea812c42191716d35e35b5acc75146e9fe264042450ad74af15e1059c41d5127801df6fdb7ffee351e858c514ccbfc709233ed981028d62e669ad3c7a892f92

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe

"C:\Users\Admin\AppData\Local\Temp\dd96cdc200032ebf1d6816a5e56972e9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 121.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 08:43

Reported

2024-03-25 08:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Christina Applegate.scr" /S

Network

N/A

Files

N/A