Malware Analysis Report

2025-01-18 21:46

Sample ID 240415-dqv4gadb63
Target f02b84f97eae24b732db4765aa5d7743_JaffaCakes118
SHA256 fb6bc83f16fa005bbdd9d81de34ced1aa17eb6fc1ddba6450b82fd4cbd0c5765
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb6bc83f16fa005bbdd9d81de34ced1aa17eb6fc1ddba6450b82fd4cbd0c5765

Threat Level: Shows suspicious behavior

The file f02b84f97eae24b732db4765aa5d7743_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 03:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:16

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 3456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 1520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 1520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5052 wrote to memory of 2580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86b8446f8,0x7ff86b844708,0x7ff86b844718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7109588083018286146,16824102275579822091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 864aa9768ef47143c455b31fd314d660
SHA1 09d879e0e77698f28b435ed0e7d8e166e28fafa2
SHA256 3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10
SHA512 75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

\??\pipe\LOCAL\crashpad_5052_DSGQUYHEXDWWXQXA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e2ece0fcb9f6256efba522462a9a9288
SHA1 ccc599f64d30e15833b45c7e52924d4bd2f54acb
SHA256 0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005
SHA512 ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0f169ce736fccf5964eb77910b925032
SHA1 a6893e1cb788237e1d803fba4376a162c9dd19dc
SHA256 acc8f3faed2a3363c50d6b26baa3a761b1910258fd6d9e963e1d1f75758307ba
SHA512 ad9be153b7cf50c16e884e843f3c8c46c42ff2f0c4f8e31a05c1c0bb085bc064c25868fa90f5f589c3f7fdd675b468787028d58e7f9558767e536f73bfcbb7b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36705b0244196fce138dd9ada845e519
SHA1 c0c7bcdc48bf20b240fe971b82945d4a3dacd091
SHA256 bf00b4574499bbd0b12012cd16d232dfd1480e69991b0060b17e0077d8c58665
SHA512 3a731aa665aa28440e71aa929f4a3a7e0f387ae34aa817d6b29278e2854014e809769675bbd81eca0aeeab91124d95494bf0b11eb796e1c2c2d2ca23832fa5a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 74bb75e0b150449d0894ba340fe7e85a
SHA1 5f319664f58122dda3bd8996bb63839f4afda2a1
SHA256 1f9530274f0b9e58b2d7c4d76ee1844967166a5f64f4c078e1929f099b9e7dc7
SHA512 c57cfba66884ac833decd6203c20f5fba6426ccfea5bfd4a6245cccdecaa2543c59086588aeba87ee1bd3e6c6d366a60fb3e737c3be9fdd73027c1529867caf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3519b9d1d4452b4fad9550df8816ca44
SHA1 58f3c5d5c0a318d9f09e528868d7a6f8412fefac
SHA256 9b58a84ec3f2eccb1a2c61fe5ea91562727bc116cbc4bf6f4df68348e7c1f6c9
SHA512 08519b80bc18f0afa8ba95f130eec98600f1832f58de3ce2b267adb7edb44cebab7eb7780fef0353a630711e859781b5d9e9f7e148aa25209edc71c254cb6d67

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:16

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f02b84f97eae24b732db4765aa5d7743_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:16

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\toolbar_id = "{1F28E218-9579-4534-A0A6-CCA5313D289B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

memory/3324-44-0x0000000002D70000-0x0000000002DC3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20231129-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419312667" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C7D09F1-FAD6-11EE-8DE0-D691EE3F3902} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcd0cafa0abc6b43af0ce50631246c9f0000000002000000000010660000000100002000000048b3a7730da887307cf2b5868097b35fe6398df7a905465f1f522ab09636ab2f000000000e8000000002000020000000aad0de35728dbae6ae0646ed57a6e476817dbbce374eb91b599b77ad7393b55d20000000556b8032950bb9d8ff1169388330c4f7a0665a3a1ef04488c6af86296a809d1e4000000056f83968f06e792fb171c276da9059a6a7b71d1ca77944edfddeedf33afd6f1cb23a3cb78b8d6adf16916baf8a9df16bc17da42ebf5d490cd0ac9f8b5f946b5e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806a12f1e28eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcd0cafa0abc6b43af0ce50631246c9f000000000200000000001066000000010000200000004c2bda44b54aad3de73d618023122d294cad047da331b80f2c51d592560410af000000000e80000000020000200000006db1a3c00aae33ef3c8ca9a91520a369dac2fb596b1a797a14b243bbb099705f900000001822e9be14055405a6e6cf34b59fa510449a9084b7700ff1c0a5c61ea131323a6c48170ec06f1a8e066212f1273cd4b0d67468ba4566e55fac7259ec3a07447af5d6259a27f80cc09cd6e135152467749e57162b4d50e781b445ed2138afa1dcc30c722afeef32a0d440f1bf8c462a7005d3e3879ad1ccdd1f10cf12f363b72841b9d89f01d17729b2ae4e9c1fc3cc8f400000004d2ba5ffcdc7415bc0ca12e79320c53085d501734293b71445b28d59d7143a4fc73296fe5f3c53ad61612bc0724979575ba42fe344c119bdb2719f3202df1fbb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.97:80 www.bing.com tcp
NL 23.62.61.97:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab20F9.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2236.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9dd84555612ad22c65d2a71c19925c
SHA1 acf049b97f0901f2e9ad723186839eccb6c10ce6
SHA256 3aaba039d5d02739d786e50a2bf308ec939d79d7c32edf81424e38b29037db02
SHA512 f0c3c8c4de1ee811c499c38b5506295b6646b5ca464631e576ad97fd4d2ed33b4dedc5160f091f6bdc9f38eead575e9504bea0c121cecee406f464a4ebb284f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 113aaea2d86247178ebf316ee732fb16
SHA1 8100a9e0499b81106a66c77590f54c08aa8494e0
SHA256 d9b1613e064205767cfb656c86d1bcfc64751e2489f27ac645019201731c5469
SHA512 5205afe97a41f4c500b0880aa739c07b4f055d964e32c4fb15a2b418de256f49723af6b2d79878c9581903d48b10f720425453d7665f9058f89073d9a9814388

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c6bcb1825271586c15f7071b8530d9f
SHA1 336181ad21306387529a3cd1facec52287bbcc91
SHA256 c93e70b308554892bfe42f0a585c7a1d2c10e823b685e6e224d6540340ab51e9
SHA512 8e3a792b7da7eaade4a29849805c48a4163b6706d70f7b9f5822ad55a1eb5403ff834c4da985decde28edf0594a777b4bc7d1d680b2157df90ff693fb60f862f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 203d02d9360fe51fe4c2d146d2cb1b66
SHA1 8ede8537d59d1619f00117f343448009e7119568
SHA256 2d804462700c757395018897163bfd18b7b00ac0f373ce9cb469408f0ed90411
SHA512 4b4cc0d4fd888fc7bc5bc73c00cdf6ff6245824a5456c26f27cf81de4a0aaf28c80b16058dd4f3bf5ded6ff2fd73ff4da777d09ee0c6f3ef9574d001e1e14660

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c6e3257c75acdbd5c8bac0009b975a2
SHA1 2b3b79b532a16f4932d3c7695dc1b0a93461a440
SHA256 76bad992500bae3134e2d4e7ea8c3ab6ceea82dc316effab8efd7d8db1d4f62a
SHA512 766d3da96b3a2e81ecee7a799fe4fe66fb918c0a5fc4c07a649809758e1186700c2c15766182911104992a1aab36d1dd443be5329e6d7545bd2d0477900e58fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ea3a570682a31884a3f739ac594d549
SHA1 ae8c6fffab9694759e98a940c722e4d4e6ad3934
SHA256 f59d6d574f0f26a06305bf03cc64552c9b77c392a2a9247ca342874ed02d60cb
SHA512 0434400cc6aa63c2a77784dc2da36351ca6b5847705e11bfa8eee4dc578fbec11debff66ab29cefe2ea8afe92c787628e6c9f146852de1fd0f15965635338ddc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 074d9a6de320bbd8696b5f8d4de5465b
SHA1 82075ec20326d2b357d8d0ed72e89a9e87983c32
SHA256 2489edad3f5295079e2b948b0eae7625a42658ce102283d7fad7190df27604ed
SHA512 3efa56d25f2140b9d54d52a2ab4fb2adf7b732d64bf03ce68afa831b85f316b24e11d8062951761b43a306be2ca1e5ab815821e97adb6e1491930eb1b47b3ae8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 276de610ff064005917dce6c3103378c
SHA1 f0221c0f8fa82cd91d10fe537f3ebb5db67f12d1
SHA256 599a9e548e1c2ac34102e52c15ba7c6824800e2bae5e4d8c35eca0f2cce45845
SHA512 4cbc8a31d6e3a29af85475cf86bc2bd5728a6a650cd525294b6ecc2aa73c2924b5593f0eebde43106a456fc3e042b601cf44d4e3d820b46cf20da0c50cb45be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a7ad4afe0ad2e090c5028cba7fcb613
SHA1 d587763d313f74c6fc05d82f82d6c0563073a010
SHA256 b175b9d0eb1d65d938313078599d892c9f13371ecd78cdb177717aeebf50484a
SHA512 1daeaac8b9dbefb465fc7691b7dc30f50b3cdedbd429561dadf1ce3fbf34e323a2386fcae3baad01b71bfe33d492ec9a3600a174fc7ea6d8d2316d7c062bbb07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d9ae365cdfe2411a79687a90bc68c1
SHA1 458a71c81f779c0b6412de4c0d4ddfd00a5d58eb
SHA256 0fa4b4456ab8fbff6313a19dbd66fadf97f38a53e82d063893be6bee25fb2a7c
SHA512 26416f23d78a8b9f5b098fd61ac0c14fa0cc24d671e525f6d6da538efc6b5209741245ff11db70ea693cb25af684b246ec7d642ed051ccac8f7229fb1efa3570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a33d06fc66ead368cb6221d3de738012
SHA1 b00c9bb9d82c8878a12207a7233fc1a31bb12d51
SHA256 877bde514ccadc43d2f3c8002d2a3d32b8ab72827fbf7e6994fe97c3ce5d7787
SHA512 a3e59a866b94800aeae3f0a7f81a37c923b9c08031d6b6481157a06f0a59ad245cd60a3c4a1f3329cca7a3b6f0236c44ee4eac139fa5b8db4fbaa367c83628d8

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccbfa2f7bee3e7d1daa912d8a9c69d10
SHA1 5aca0daf907469df0e8cd853054fed59c4c96c2f
SHA256 188c1d78cf31ee2aa2d0d726487a3804a36d59bfb103d4c77e3117af3fb8cb01
SHA512 8422305cbf6630840882f51a05be50392861e411ea48d286f782fede6073eb6ac3f15d793245a15c54002b03c4bf32254df12a21abbd13162e043f754cafe75b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7eaa8db3e889a7aed5f8527b85114123
SHA1 9901c402efbf7aa92ec1da981c63182419c6d50b
SHA256 b35cee88ea742f0216f711d26da43f6837cfef6c07d70fccb3960248bcfd0701
SHA512 fa88cb10c41d68e1dff6b671a9e43d8e97295c3e2d5929ad623958f1bfe3101032eea74a213bb3ec19294aa372a242cb704888ec21ee0295bbaba57af949e9bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 954edf1c04262dd805ba647617a7e3bb
SHA1 51a54a1022a796227e5c7ccb7a2d572d8d943793
SHA256 2058f15207a0e70e6f857658ef5b812a349b2ebdf00c564ac727dc682d6d8c4a
SHA512 bc75aa7092a5a25d7991940207466928df7cfdfb1cb81b22c315293070a9b5d8504a3ef315945e42357a7cb6586f7b140bced9769561e3204c9f67f8207b04d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83fee52569b46247f8cab325b150dd4b
SHA1 1f603ff09fc8e605cd5d8bfdceda4efebc4b315a
SHA256 dd74f21be8fca724d0ce7612d23571c7a57120e5020893ea33d91187d86c500c
SHA512 184fd081136b9c9f43146b640a4b0d4cb3e9f2b4f683ed98c50b3341fe704048139653f9b2b5589402f4ea9eb85fd16d5c74d9b5c78afbb8cb137dab135365f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3a7d829314b537f392f3624d57f1c17
SHA1 263788b24f262e0b8620c126cbd6596e89cd76b4
SHA256 1b890a7eb8f7b2c444e4be23400d35d5ea81ded4eb913259fe5b038721b96ac4
SHA512 8ec4dc9c4f99511f360d39bb2175499b2f3c5c1f37970c36f3cbbc77fc994313ac3bbe04a342032bc8664172625c2be2214b5d913989951edcbed03f9be8fd2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ec92cd5cdaaddf099c46847ee52ef34
SHA1 1ff59ed0eb7501b2ae0043258679bc4f539601d5
SHA256 63a5b7adcd4c084c7ca5db9089bf0999adfb8de8ed13943f8a83eee32fc43a8d
SHA512 6ec928416b4630f9575b99dba6e4948fb9653121baae6ce93d511228a7e4b205bc5c8f259633ebe234d0a85d83ee8c344b713f6a1aba81466a9459fb859bdecb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15c627968f539e70b7fcabb39907f03f
SHA1 b1fb4a38d2034d7f243bf6e17b88b295ac040dec
SHA256 adbdfe7613ed650c48e4d7d2bbd20e47d6737797cb4ac5e22ed3a2b1e628f634
SHA512 1ba302f1174e9e3158e863216069071983ace4fd9bf8b99eb281cb4e8841d8f46b6b28c0ed58b44dd53116a50e52e2266a802a8b768c385fb4d2243202bf0885

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8de58e23bc4a8200735786e07d2bc73
SHA1 b52f776ce67548e1fa5a3c363eff1eb806cfcf6d
SHA256 5980f101e4b365c35022e6b1b911238038db655396ffa806462bf268690a5b3e
SHA512 98be09bd256a4c4d25178463b3dab170ceccc8a6e19e277a0fa501640f670f61f8cf09499b9ee71c0b823cec063302a086496089d609e207024aa21ec97ed6ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8b77cc8b2ba439362c7db88aee40019
SHA1 fb04acd8820c07735094b4d8bad8dc118b2642fd
SHA256 95f59bc3a64e155b2dc1b0d1ff461b4a80448356dc8d5aaaf71fc9e947bda03c
SHA512 27386431c9e2e398e4c3ea667d4948e3e6e2e970ac3e36c7bcddc862644880f4e5ae71d1e5868a6dcdfc81ff34d7ac75e6ad111f27f5ec8e435f29b713833213

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61b75c29da9f66022e5e1101f02a8ca2
SHA1 1cb4ecd2eb122422f999f21949286912066c660e
SHA256 c20e1a3691a652e19d862587c5c568f53a487f6c48a1799590a2c957a5945175
SHA512 f940fe42b01989492b9d9b5da1db103abc2c107958242e4a8f5f6dcf6dc8f20b19513bfe65e2ab206d1f9866dd6e7690e06a19bcc4752da4bd5183213699bb11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 464b17b006a9219a31b4c215aaf51590
SHA1 c18936a118d4d6d8907fb260cb33b52e24a1a07f
SHA256 903389e0d83ec554789496a51b0239114f4e96bf0cec0dc4d8bf9e795c1bf25a
SHA512 ce4b9134866db7b55e1213a3bbc7de2b4dc2b5faba6e65ecfe105bd55417cfe27198cbd2fdbf7314074808b2bed208cbce2032a652d5c88baae00e774b6849a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fc753a1c540fb6e322ab54f7bc8c481
SHA1 888d2df9d3b05c550601ddc502e1845bd14c8eff
SHA256 09a09bcb7cd133dd668c66755fe6041f38870d4673150ccc2f09579d4e50e854
SHA512 bccc82ee9f495cc830702fe54cab14076b122359a5307870e6a9f51a60feb8b5e778e5d979db9f46904ceedf1af93ddd71423775f3a2a6251f9cf9d9db025a20

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 1104 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 760 wrote to memory of 1104 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 760 wrote to memory of 1104 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:16

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3872 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\toolbar_id = "{BFFDBBB7-41F3-45dd-A4E2-E4C336D983D5}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2352 wrote to memory of 2196 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

N/A

Files

memory/2196-13-0x00000000003F0000-0x0000000000443000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 4688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff82d4546f8,0x7ff82d454708,0x7ff82d454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,8530562333965427144,15813629844038457324,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1376 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 559ff144c30d6a7102ec298fb7c261c4
SHA1 badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA256 5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA512 3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

\??\pipe\LOCAL\crashpad_5020_XEPEPJRXDFOPQNJO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e36b219dcae7d32ec82cec3245512f80
SHA1 6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA256 16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512 fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a13bd50fa42bf13885986cb952c18834
SHA1 5c74783aeef3598c2a9a4702fb07bc1dfb32088b
SHA256 6a517037f348e16d15f557acc9cc06b3e4743ad77fa7ee6fbfd436ec3c7925a3
SHA512 e168ecee4ab286eb3dfce7fbe535b280f89c0504376022937a9a98c25213a1c70bf3c59928ff62080f2fcd89b47d1ef7dc9765e87f9fbd37b541a6503df19edb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3e009f0dd186a9e5d1b6c18963af69ec
SHA1 78ff6382089d95d50d950246e132d880864cf3fb
SHA256 875ff2362ff5939d788c59654f620a7e858929cdee244488e9e8516a09851ca4
SHA512 0b749b624ea7fb542caa7048209138fca83471780a79de8f29c334d2529914dd737b50080a1126ceddc767f1bb0ab3dcb29284308d899a8245bef53a2e5185cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7824213f3862e769627c7daa35aad53b
SHA1 59676748533873b3aa6211d5c9652730ce18dff0
SHA256 fc268b94e349b2f01fc85b43708e689e22760d0252a707dc7c34e675367df1fc
SHA512 ea7561b7f983e37d9ad18d53fc4ce029c2cdf2c407dcc554a51528ee2aeb3f0d6b48bc7dec5e0eb8b6cf75fc2503a67b00ab9ded24f6e2e840d651c42a1baa1c

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

133s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C959331-FAD6-11EE-A564-5267BFD3BAD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419312668" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000000f723c2ea1df23ba96cbb79f9c295f8c113432262cce38f93d08f8841ac6fcc8000000000e800000000200002000000065eb11d4bf9bcdb61c92c788aa90ee961ec3b4ca0e228fd9dafa13b0935044ae200000005e506833e3b7188f3cf6903a8edd3afd14f82d356a928e0bd43670701760bab04000000091a57b4146e4afbdda748ebe06bbcf9c9519ac9005cf10c9e04df9f00f308c238c7ba6acd17d72b2c357a267fb89a47d9369496eae1e74a7fbc43afed688956d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504819f1e28eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000bd7eaba49f55f3f16cade917969ab58a51c7b00f2301afd728c51cd2eb8179f6000000000e80000000020000200000007af721d7cf4779fa045ff2b69816c9d6ae70ee1e2ad1d1e505edfb286ac3ef11900000009a84dc1c65a189af4578c5f566e34e5c240ba81cc241e1280bfd090e8b8d90604fb4320ff0b0fba55ac7415c07ede91d5474a789cbf95c596c152071275d045044fc84b9caee61483a34d487c63f5a40a6de9563a3d81dcc689c7369817104610cd7704ade6fc82e8332bb0f5d83bab22f564443cef0d0892368731553283990b08ab4657bd9182276f76ce40a9dd91c40000000b4b3c5048a2e9cffe0527eab78532fd24835fdec307fd548afa9bbcd2969775bc6f9e8c334a6746b62f2d0445cffcf9d919e5dff0bded63b4deab21cc3d48b87 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab427E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4361.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ead9c0df3b98b10e14b8d2d48a198223
SHA1 aa1521670fdcd8f71c0deeda7a838eba93767d12
SHA256 e5749ab61c9320d05d81fc90a60823ef8e083e65b6c6a6814c41d705d87e67e6
SHA512 0bfd17c07b106842a0fbde01f73406153060e98708ac20e2cee9fc0b5bece16839da0719e826bce2ecd68f4f61480c82b4c0145d8d2c2d33d6c2397de389f68c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91abb5047604cfc2a58a3fdf877647bd
SHA1 f653c52930cdf73fd34b3dbf9a9b6773b6e8bd96
SHA256 23191bbebc74b3cf6343225a82bcb60830ff3115dfb6bbe419f1a46231a4fc63
SHA512 c3f2360da82dd64e66ad13056aed901b4aa277fa8ddf0d05d6537d7a7fc414368ef23221110202a68fb545b61bb0ccf6743fa77295e0bf17226933f23d934a82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2890f6b204364f0360ae09d0ac447f29
SHA1 ba5e59211d8de097ddfbb0830137169c9a87e9de
SHA256 f4fce9b6641214340d4f596971c293cce54a4657977468632768b8bac97b62a6
SHA512 5146a3a2667b2207a4f1fdcaaac1eed053726625df287fea7ed3e16fa7698e0264c024f44062ed6b40dd9064b3636112c6f6e575f0022b6a3bdd22b69be3b6bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb9cc9d76ee71992a8ba86b3df4f209c
SHA1 575d5ed8be06cdb137d852f1db96b385539b6805
SHA256 900a62456815e0f281a00d0a25fb8948fac1bc12877436a6837faedfd1982e94
SHA512 746d57da8e512575f7c8bce2ccab4f56194843f63a601a0d43d2ddb2e5de07daaa348e98d3e44d7b2e080270eec250eca2b7d6d25ffb21564dea465814a67605

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7478bb9a5dd2c31ec9e0766dd97d4d08
SHA1 84e12af9ea550c548051af405ff048edf30e8edf
SHA256 192b646ad153f75ec3aba24de637f9d89bc460a4646ff4f2607d017ab1578db2
SHA512 f12819a4d855d8df9a91643659f07aa651e3bf40277dc98e1841fbd41a43ae1e07de26ef5e02ff5aa40559c6052ccc8046ddc60960350e7cdc5f5a5a6007e8bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f2d5b1072708aeac04d89f042204260
SHA1 84b5c9e5fe70fcf1b8d2c17327333a98d98d9649
SHA256 b131cb154de7657b508f90672e533224854ab66279e4c3702aa9648f2572370d
SHA512 32e7a82c1490107110fee51ee2e1bf454e0da6c8799d95f5370ff7ca530ef6ac7a4114154963b8ab214a61ce25631df2fe4545b75f2f3a33b74418c2f77a5b02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7af968bf1383721ee5cf24f0807969e
SHA1 b4be0ba6367d6347463881f9e0990fc2a442e5b6
SHA256 f187d11cb454356046d3ba618a88dc751afe8be9d6700fd956f6ceeb8ce8a57e
SHA512 1343252e90742300198157d8d1ddce07cf0633f1ee842175600bdd88d978861aee0fb213f220b4a4fe96a6c0ec124f809e0bad019b4001e65942edf0df4bd9f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc9c730c82826ce58e0ff467ef356ae5
SHA1 243661f936d15bccc38277121db833a8ea03543b
SHA256 e9753477384d2bc7ed564f78771ea7aaf9b860335f54fb1614610a25e77acbfe
SHA512 30d96ee6f89dc6cdb70ccecd2d601fc69e8f3f096e382dc7335d8986558513bda2c864ba6ca6037ac75ec2e83e3f2b80db06fb291821d037786b721b0c9e9704

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bb3256a2cda9fd6a05b97132e1a12e6
SHA1 ebc291540584390a94603a969504bbc854424b1c
SHA256 b9d79b2d3655c996c119bedf4d0d4192bd61bd112f404d63786052d63021add8
SHA512 ebb36a3412749a4105bf457a95299ba114514a753350fd5398cc474747e1cecb9cfdc195d9ab886624e4755cd9680a5cc806a8bc0ae4b6429f272a778296213e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dcf15bc6b110ca65406004631588b18
SHA1 558d04dc9f002e8101035aa4ba569403722e3f6a
SHA256 382c54038d0d7c8817683aac5adf06e45e7c6510b475462ea43f01f7aad19813
SHA512 d6391897a8852e712e9ecbdc2d3c8651f13badb9113f67f02a53a118aa2de6d658681e3cd4b1f129c73b8d4a0a9aef55cb9ccdbfa426d4ef35d08dc488fce481

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21915f13d652c99e305973535255f6c8
SHA1 a943a6b11be720097e02c4c18b13a78eaffcc6f4
SHA256 9b47e8216fdfe9b4bfe9cef8d17107b0613a2a1d831476608b077c3410c2cd80
SHA512 2e9c446ec7dfa77367cdb3d865eef772ed10395c6d9a614d192733356c6ddfa615b6953e275c8d45ab9bdf8fc4407ac26f10332a7cef0d6ff562bc28582af781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd319ae7ad73b2796fa8eee499ac5315
SHA1 3f9db813b80763d8249cb82615e7257dd9b6f93d
SHA256 d1b3d95ddfa4f5f571d00200975c385d6a5ae9e64694042199bc555442a862ae
SHA512 120189c5f444c6d4694f27a334f12535638225f6fa0a66663281356968572ed06ece19b12765d6f12d2fc58cf54c5cb3cdf1a09728a35e73ca8616c5c0aaae09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a82ec5ead9fe58b491e760f5e16d19a9
SHA1 4911c8447a1d0140a021c2b6b80f4de4af7a55ea
SHA256 898b0d34d8c7170952a61833f9e6b1104bf8e320760479a0720eae0267896879
SHA512 7f532e6da9921ffc121ee436fd961612f4ad3e533da42d61bb0a2123b80cbf756d6bc0fa31ec27ff87d51cbaa8bd2ffb6cb7ed56e32ee8f96036948c9e9c1de3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c529ab3355543be2447c29855092b635
SHA1 49f18f3dc5bad941c2552a55e69c9537b88b8046
SHA256 8771541321193f32c4c2dbfb143d381c32dcc576f6e2a178ff115771b0b9e7d5
SHA512 cb397b577a0f86cf2884dce9520cae7a0a125f70e919255101ed168d49905f294842048919f08db27d7136fae266540a1413335647546b529f2f0ab49b44e0ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f74007eec3699d5419f238462d097a1
SHA1 608ef63078e251e93df025550db1beaa7a640b85
SHA256 cfa2d2b5e4bf8eb74162c9e5d738e75401af82bb5a396e194906c570c728e467
SHA512 2f82821aabb1260751fdc3b5d1deef1ad09e5533b49e0deaa9c21f94cc7246dce4702aac932f31c70d7705e191c367e87ee06a9e5033645d5eefa7e486063697

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2073cf61fb1ea291f83c634a8dc4446b
SHA1 e300cf194e02594190b0782b2db47bcf2398a601
SHA256 8039e9d5b50291bc9515f8bcfd6aeeb58704030174b7e5465b2cd30e4904f36b
SHA512 49a52e3799024aad981cecf4502d6ed940cb22bd98772fb7bb24b60605c6e524cbc6ae44a87bc61c985a5f589e32d985699b3d2ccb2cfa2b1b28a50df01bf727

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

136s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419312671" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000d688059ef09206b99a0c84a69ccc9bcd167f7065ef4f8dc5ad521dac9e2450c6000000000e8000000002000020000000809736d44ad9a17dace88a143658bac7eebb8cd8f81686aeb6233cd846516829200000006d18fb809acc13d84c2adbf4cbc9d431ae43a67522d18b5d89da7ab788cf174640000000f1aad2cd8d1d49b17b14ac8f02176b58e2fed23e99e93e5ea63f7ebc2dcd2c96714f6b5d7162877dbcf34297d2f79b6578b603bc2fb713fb29ea9a06258c1c68 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000cff371ddad5801862c3fc4bf0a666a043525fe55d847fd08efac2af4112e860b000000000e8000000002000020000000a64a82ba37948923e2066293394d92f98abbcda8b5c428bc1c9a347f0858651d900000008143352e7e913a3d262301960e127f4af2afbcb45f30e9f5cf31320fc08bb5e7df14e000b1394098d83fcb744202b699199fd3189bcfd931e0a4a510ab3cede71805b1072e031ec6d2fbf71a61b879731bca567be47f984f79a16d03964adc4342fed5022cd5da60ae1cf70c2be5cf25a3babacaae9a39a8404984be79dbc0e377310b3e168dd43f9164b5ab198f6c534000000050be24f9fff12883b1b6f49df3d245b9aa9c5763d9e789eaadb8bd6aea776f80e1b4c8cf354902f1bee4a6d7870c41b8472e0b6a71e106b6fa3e8d4586b2f9f0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1DA57C91-FAD6-11EE-8C0A-EA483E0BCDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204c67f2e28eda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5C65.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab5D13.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8acdf8ba9548e7a3edb2860f5f9decd
SHA1 54346af965b83dceac0b896f545e4fd2906f338c
SHA256 ab51b7e79b84a1c81da79577a773efcd718828c506922649861bbe357ce9bd6e
SHA512 e4874b84d7450e4f0d517ab6f0e9a8d27e71bbd107519e3f71e3f567270ca72826320d02607b6885e27537cbf9d352a63acf651ced4c60a7030dba66917d3098

C:\Users\Admin\AppData\Local\Temp\Tar5D28.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5f3a93aa99fff8de8928ced755134d3
SHA1 1d2677418e497fe88a8fd5f44a9a9f27309e7bc0
SHA256 7c04d747a9becfe8882b515d8b931ebf444332970aa94b6645ef66b3a114141c
SHA512 25df0bf8468b1cabe6ba929fca03b76b3c23ee443ba7272bc49da1a1a06c6140f76cdac6ec048fd6331bf54bd96eee35ce66a520a3ef5bddec619aa28d23b17b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a302211907d7c461146ee1bb6055d54
SHA1 eec60c1cc04c120b4359ee890724fcf79da8c546
SHA256 1344bbccaf68ee7343eacda56f966fc59f2e498d9a20e3d1dd8f3c38333af1a5
SHA512 ec18345bab503d63c59536deb259d7481e9d7ef7be531333a28a3cc58f8341422f11790b0b154298f7d3784c15d4b10476e841e24558637c9010123b0a7a9846

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc8f75475ce43f649aa3ab3758257c0b
SHA1 86ad6db9493be6a3698a21c49ceb89d68168c059
SHA256 f801a52c2ee4fbe9ca8cce62bad40ddbf94093ec30a26a67792fc0e76cb64165
SHA512 951add13ae164c1623a98908c6c0e6f6b84a18b2463c56bff1a85b60243269d7980a2c35b153c584a17fb6a08f20231b611fd892da43d1a712ce6407fca72116

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94eadcd1d8526086cecb1f360eb5273e
SHA1 98466cfa69b8c02cfd788b8c96711d354802de88
SHA256 aba3fcc65a5e0fee64992f148f877c71d5cc07ed2fa343bc2116224867268430
SHA512 2ce9a71e8885336fa99be3b45c777d9b336a733a28f592303c4e5738dabff810225cda1afbb69ce67a5971dc358b74d44b4dc71dca2da3456a2d1fd75d04a7a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38cddd1b9eb9aef88ad7f574d2ed3e61
SHA1 71a42be29ac5e83c602a93a0a386414974fc1f09
SHA256 6621a077a1d3b27d4ec0d3fb46473697244acc0c6e8d5a5ad72ddd8fdb24da53
SHA512 417c0e00bb1e1ed22e0ad5b91dc05350a406774531d16c853359187fe3bafaab165eaec2f0faf866f0994892e89392dbd4b02e1335269bdfec52e87eb0cc9644

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bd36b2d18d60f1c47cae4c80afa5a2c
SHA1 db0df740dea11b45cc7336672432df46cebee547
SHA256 b6494893eb60f49e1d0fe33da3c5f587bef2565312b43736e4e9e4c137c64cae
SHA512 b9e2f66b42e78db0e91a8ad6d12f1c2cc4376bf65b90fe25faa9f31b6ef7aca47c527ad7e8c407a1889a5a30f930eb27f8b474e227b7b7b4e8d04e4aff4fd3d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf76b65fc158cca10d1a222a73ffa75c
SHA1 ccc7de2eee1b656a2942c5df575ce7b0d6f10e5c
SHA256 dcf746487bacf4fb2caea0948fc518a8d43725c7914706dc81267800091ddbf1
SHA512 354cb04579951c5cec915defd206dfd517d9b292253f82d45bed74ef2296d3783596f9acfeee57e28d6bec483f95d39d12aad178df034ef3d1599364a42366ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe5c37d7c2bd1055f6ba1f1658018a7c
SHA1 f1a7c91b52373f9157fc007b74b4a123b1c4ae1c
SHA256 47856c6dd18a62c45229603d29513bcc9568e684c4538657ae298079cab30d89
SHA512 754ceb07b32742e1388b67915e12ad0729bb8593aaa1e2e9e861699b6ded5618144491ec61e36a73c1788debc427cbf57aaebb2cbd9fe0221c0f6a86c6b1a308

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c91deb0f1b0a9a278fcf1ca7c5349df6
SHA1 1896d6faa06e11f196b8c733709942467da93d0d
SHA256 8c64dc3afc78a7a2dcc344898b8ee59b44674cfec66371a8da858cddbf2d16d8
SHA512 bcd7bafc542b74974e206effb32c396af21cf1a50dfa73c27e751fe268767437188ce006f3c15826b874a659a2f8780896addc42aa00a5c527359294145af145

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17f54d2a1def098f6b47658ec810709a
SHA1 35a90c0231c22ff60a56a727f9837ce1b3b253df
SHA256 7aa2e67fb650169049ec1c8928eecb438ee91712e721ef5df2a43ab75e610353
SHA512 a361276bd13f806c0e652355e1769bb71f562a21eeee56c0801617ae2133ffce62bcf2c7578d0c847b66c74df330437c329c680f027049ce44353208203952db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b7b424a79b4407300cdf20e3d36cc21
SHA1 ec933c2958aae2c12ff90393eb49336e3dd9546b
SHA256 7fef711c7df758bb7652ccafa1bfbeab547c513fa195b13ff60c953b73de1bc6
SHA512 1867e5467bce4e29914e8004e328fb5c6ae5c6b07c8b050f411cfbbdb1cccdd13fed3ae0c93ae51dcefcde2391cd21e1c1568f88503acc39cf81c802ec3456d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbf6f866cdac840f59db64f65ae03b2d
SHA1 5e9e32b7fddd6938394b91a01f695a76a57f42ab
SHA256 1a303ddeb7258ffe8fd33ff3bd57590fa582db5057754e43fa69dcd32368a490
SHA512 9d1b47ace2ab810d82ce1966e8c59713ae694e252b1465b0db46ea545786a2b75a67b9505a43c2ee145d636eab1bfeacd1fd75220041bceb2542cb64e75eb77c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 293f56efdbc45800800877989cc96e42
SHA1 8f630a59a84a241e308d546c753dc2e05f57ff1d
SHA256 7c3d0a4ab2ea4d38ddc8339704aa04a34c94e3556b577cb27c91240ea6f3372d
SHA512 00d8ac7d7e6585dff8038a164d816f556a7f5c766fde6bbcff68bd2e4226cbf9f6699f42cbca7fcd4a1f84dbb22049256e485611167ba264b0f636ec5a923726

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f320bde2bb5c031b5e49012cb27e6547
SHA1 f742deb1515783e7ff6e6c2013e0ba7e07f623a0
SHA256 a83e7f076a3ec690db2566860d02c0875f01d75a9de1217348391d3ba8d3e860
SHA512 56cc0a8827f2bc95bce1822330ba8866fae56405c4132c71413b41d88d25f23453e2c94deb74226a65d911cc334c31cb482db2daa12f6b518ad308cff864c0d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 607a3137041bd0e2ee639d739b8eda28
SHA1 1c31974160942429ebd6909bd6383b44f57d19e1
SHA256 d3e130b4a976fcf894a63d644aedc10fa902d9db4242913e8cf9a62dd406a174
SHA512 0506b22b5cbf944a632bed4be36c40981f3fd7b9682606ad34c04dee4261a6a47cbb0d60eb6c18f92fc10df4a96576ead1b9df598c18ccfb90cd248eb5db226b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d07dc6fff0041199e71807a19c5fbb4d
SHA1 51d63abf1c90ac69107ec80d074365c422ecb043
SHA256 d9f261e35bf2f73fd447a0cd24fe31b6fa5787f049143d7e0ed6b44c1db52e3a
SHA512 90a86d76153aff10843027c7a6e47c9890e109b899250eac24d18509edaf1bb7ef5158e2aaaf6e45eb7d24d58897f6da1ad9330a2b5ae1bbbea97bad1947ff64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa5d2254649769da9c8c02e60b77b333
SHA1 1176ccc73721730be778fda61161dec6578c5b32
SHA256 36f854b72fa2a44bc396cbf734d5cd58a2bd33deecdc0bd6bafe5e5881edd20e
SHA512 c4f07dbfb91c99064bda2b2ef98d0f5059e0147c7c4c6d0acecb71796ce5be4f61d49bda27a61b8dc9386eafa78a2069cebac4abfe1d3f62e6486bd960d4d4cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fff57fa78b66c448227fed0478fcbd1a
SHA1 c52b40f8994504e5d984b1863bb156ecf9ebd38f
SHA256 016132785f381f67196cdb0f89d2990ec2c8459772b50c49141c2bdb9926676b
SHA512 3517485fcb8192419d0b3b48f816ac22bd7bfcedfb9f13252d994a9b9c8e7e4ec0d43adbe9f7f245b4cf56374ea9c514c30cabfe22aabfa69195dc96f1d4231b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fd1c6110fe853c69bc9af15076bbdbc
SHA1 456cc6dd858f0b35415dd9d8e2fa65b8ab84b645
SHA256 16a15015803d3162327ba5bb6791a9e2e6f06712ad10fdba89d41f6492e3d362
SHA512 66aed41627a60eff6b4812760c17233f0a744154e01b78ff713a83026c6f1c82f47d08c7f7e932191daddf89a0ca8f5213cee085ef17e6797af1145b183a6d4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26e2993598663871ce7ca83e210d90d3
SHA1 b1078b1a57a594f367da36be552c71ad51b0e353
SHA256 6d45ccc0b11e1c53bf34c3bddfbc5eea0663ecfbdd1a84b16166ad8c8b8f08a3
SHA512 0cde29e5285f4530a25d5a31030a8ef881de155cd123a09a6c604282ea29c30022e9030836f4806254d9eacaa0a83ca2069f559f23192ea69f2bafbe05509f22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd731d2709396c8f9803013b4513e6ab
SHA1 a21783a43a4f8842cdef4cd80ce72d755b75faba
SHA256 5248c5a290a61fdeccdc21c879aa7db2b023288e6c4243c2df3e0e09690ad75f
SHA512 c4a37c421c6d80719fe50e88bf633248af199c5730f1aab9b2dc7b7c553e7e7e8765417c2fb7cc6d7d2c6e69028ec2a1a52f328643e00171d398ad06ff8a9d9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c679c9df01f49bc5e5b1c6c00c5ab3c
SHA1 5f12be71ce49327e7465735005315a71d3961d0e
SHA256 c15ad933c1fdbe0b72d3a779ccd1fc5abba228c1266027a6799f952efff405c8
SHA512 faebc85da1b5da65c267f0f63f2780af223f05684e84cdb3e1bbd60f8ef8e51d17a6d2db413b46f4e0f2f6b04b14b7d0751564cfab2f6addbc269cef46e6169f

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2504 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 85e8a76085a504ec691ab502388e3feb
SHA1 734602f9b94b706162c804789a1150e5abb7f849
SHA256 c61c4691122537b45535af8b6385ce1030cc2c2bd7b5eda99591464c99b0e9a0
SHA512 6157e7a7d6d0b5bfb063c1b21f1b8368ab4ff7bb18cf9de1c83cacc6b209a4c07093b5de24cee5824a4683899b8e126fa49962977acd728b0351be7f60b83b08

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 85e8a76085a504ec691ab502388e3feb
SHA1 734602f9b94b706162c804789a1150e5abb7f849
SHA256 c61c4691122537b45535af8b6385ce1030cc2c2bd7b5eda99591464c99b0e9a0
SHA512 6157e7a7d6d0b5bfb063c1b21f1b8368ab4ff7bb18cf9de1c83cacc6b209a4c07093b5de24cee5824a4683899b8e126fa49962977acd728b0351be7f60b83b08

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 3856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 3816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 3816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4828 wrote to memory of 1224 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4c4746f8,0x7fff4c474708,0x7fff4c474718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11184457188677274557,11480923122593242809,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 104aab1e178489256a1425b28119ec93
SHA1 0bcf8ad28df672c618cb832ba8de8f85bd858a6c
SHA256 b92c19f079ef5948cb58654ce76f582a480a82cddc5083764ed7f1eac27b8d01
SHA512 b4f930f87eb86497672f32eb7cc77548d8afb09ad9fdba0508f368d5710e3a75c44b1fd9f96c98c2f0bd08deb4afde28330b11cf23e456c92cc509d28677d2cf

\??\pipe\LOCAL\crashpad_4828_CEJERXMHXQYEBSGU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 846ce533b9e20979bf1857f1afb61925
SHA1 4c6726618d10805940dba5e6cf849448b552bf68
SHA256 b81574d678f49d36d874dc062a1291092ab94164b92f7e30d42d9c61cc0e77c3
SHA512 8fb228fae89f063159dabc93871db205d836bdb4ec8f54a2f642bd0b1ac531eea0c21234a8ca75a0ae9a008d2399a9bf20a481f5d6a6eab53a533cd03aeaaa2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a608ac6660a50cfcb59c2a7ffb722ce8
SHA1 5c8c27c887fd4e8067df1d0331a31b84bfebf8a1
SHA256 49a2d0497a639e8dfd5a1f35ba160684b977d1bdd2d01104038caf27bddd4fd4
SHA512 ab2819626e18a0810d5fa84a2852c8b3987f9024ff399590a799d284b0d092350d2692b38fd2aa0607066e17535797a6f57d94a5ee8a61d5b9ea522a5cd3fc90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36e2120555e099b0b25cc538542c830c
SHA1 bb1f49b98ef5a86ecc51c0dfcfd89083e9618372
SHA256 5958360e23c89d7d5670583179cf6c4c73de06a15e04623279567e00ef903483
SHA512 1581b1bc81b9c1d8296e231b30ce088787990ba85c9e1dba7f9df77c1efafc977b613db5adba45a85490a9cbb2845f927234f05889fc3e2a16fec7bf6e25d404

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e98f58aaf6ea197c9845bc2b0b3f9c0b
SHA1 2e97386f91110ffdbdcd314796cd902f5ec68db6
SHA256 a8ded62b2e4efe2a36d861e70bffb82f845ac72c9679d6743d9cc98bcc8b1fb8
SHA512 b633fb1126cb4dd93621f2cb05f512a38ff6dc951e922c25d17a23d26b54b80f6e859e581e90ed97798e236f823d8de95976b601b24b95f2b191c7966838c1fd

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr" /S

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Timbaland_Screensaver.scr" /S

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\options.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\version.txt C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\update.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
File created C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\toolbar_id = "{751E798B-ACE0-4cf3-B54D-7E8F41C0ED45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"

Network

N/A

Files

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll

MD5 0f1846b9162b08ba83b187f8b812882a
SHA1 3bb577471354017b5c8f6ff1f5159801000110e8
SHA256 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f
SHA512 ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0

C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml

MD5 ddd7fcc20dd29eed331b186b5ca2889d
SHA1 f7890c5e84f74890bd36dfac8d6f6912e68bf60e
SHA256 c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5
SHA512 b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2

C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc

MD5 ec3733d5ea6c6404204c5bbaae9210e1
SHA1 6b70c10e79e29904fee05a76b3852ed4e437fb25
SHA256 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903
SHA512 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54

C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp

MD5 0540c76a162cf8aea5b333a6e183bdbc
SHA1 10650aed77cafd0e0e10a98a67343157abe93652
SHA256 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0
SHA512 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4

C:\Program Files (x86)\DosPop\DospopToolbar\options.html

MD5 adc6e16ce6e97bd1eb19d3a8dad7274f
SHA1 12b55eab3225b2250ba051803f7d791db59a46a1
SHA256 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b
SHA512 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103

C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp

MD5 ecf6053084c253b4ecb999b77fd5e7fb
SHA1 fe7359187bd92e1e9312789a7c9ca1df08947c26
SHA256 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105
SHA512 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f

C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html

MD5 2caff3519f5be538757c467d4fec4756
SHA1 7e77344f049d9ee4d216b6f412c01ba28596773c
SHA256 e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415
SHA512 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467

C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html

MD5 0bf3de7de6f6a9ece7674fb245c7e428
SHA1 a71d601820676d5741734e825c7347d59570bc98
SHA256 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b
SHA512 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2

C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp

MD5 de7f84d3713c0e55ee2f584345647504
SHA1 8903bf45c1993fc2df3313e89971b4cba2ba9239
SHA256 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884
SHA512 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193

C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe

MD5 652d9d1fc071f90c3e0adb8d79d7ade2
SHA1 b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a
SHA256 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891
SHA512 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae

C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js

MD5 b734be75b8963660abfa7412095c7a82
SHA1 6091ffb358b2596d53f4e74e09da01326258dce8
SHA256 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5
SHA512 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68

C:\Program Files (x86)\DosPop\DospopToolbar\version.txt

MD5 f1610ba6a619c1703c4dd4ea1c8d71e5
SHA1 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81
SHA256 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666
SHA512 de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e

C:\Program Files (x86)\DosPop\DospopToolbar\update.exe

MD5 c050609bcf90684099902c043661e739
SHA1 e471468f128e3f8899d53f54f0fd64561a297210
SHA256 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8
SHA512 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846

C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll

MD5 8285d06c80bb289d22d7c67c4df2d51c
SHA1 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f
SHA256 d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29
SHA512 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775

memory/2628-43-0x0000000001DF0000-0x0000000001E43000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\firstTime = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\toolbar_id = "{21F9137A-60CC-4ce3-B921-F10946B7DA4A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\TBSB09293\Toolbar\updateXML = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID\ = "Toolbar3.TBSB09293.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\ = "TBSB09293 Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4632 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4632 wrote to memory of 1624 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1624-13-0x0000000002CF0000-0x0000000002D43000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-15 03:13

Reported

2024-04-15 03:15

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A