Malware Analysis Report

2024-10-19 10:47

Sample ID 240620-hlwawsvckg
Target 03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118
SHA256 8d1b409c922a30753111d9b8e9baa54e253123b743e9bc5ccefe2ddee13c4d9b
Tags
adware stealer discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8d1b409c922a30753111d9b8e9baa54e253123b743e9bc5ccefe2ddee13c4d9b

Threat Level: Shows suspicious behavior

The file 03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer discovery

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 06:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240611-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1436 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1436 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240611-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

100s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ClsidExtension = "{B6856926-5386-468f-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ClsidExtension = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,204" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,203" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\BarSize = 2301000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ButtonText = "SmartShopper - Compare travel rates" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ButtonText = "SmartShopper - Compare product prices" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\CurVer\ = "Smart-Shopper2.HbAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA\CurVer\ = "Smart-Shopper2.IEButtonA.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll\\4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\VersionIndependentProgID\ = "Smart-Shopper2.HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand.1\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\ = "IEButton" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\ProgID\ = "Smart-Shopper2.IEButtonA.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\VersionIndependentProgID\ = "Smart-Shopper2.Smrt-ShprCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\ = "IBrowserAdapter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA\ = "IEButtonA" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ProgID\ = "Smart-Shopper2.IEButtonB.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 4720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4588 wrote to memory of 4720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4588 wrote to memory of 4720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\BarSize = 2301000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ButtonText = "SmartShopper - Compare travel rates" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ClsidExtension = "{B6856926-5386-468f-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ClsidExtension = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,204" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ButtonText = "SmartShopper - Compare product prices" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,203" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\ = "HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\VersionIndependentProgID\ = "Smart-Shopper2.Smrt-ShprCtrl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand.1\CLSID\ = "{9BD56158-44D3-4C57-A4A3-3FBE94F19842}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\ProgID\ = "Smart-Shopper2.IEButtonA.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\ = "HbExternalLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx.1\ = "HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\ = "PSClient 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton.1\CLSID\ = "{B6856926-5386-468F-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\ = "Smrt_Shpr 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\VersionIndependentProgID\ = "Smart-Shopper2.IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\CLSID\ = "{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CLSID\ = "{8582F990-59BB-4846-B81F-6C25F0D9B70D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll, 102" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton\CurVer\ = "Smart-Shopper2.IEButton.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2988 wrote to memory of 3008 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SRCheckPermission.txt C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\SRCheckPermission.txt C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi1CB5.tmp\InstallOptions.dll

MD5 7e49eb67f1f3c62bb8c4b0a868b30645
SHA1 2be42e3c6059485bc3b624a537ab1fb36a10a263
SHA256 17f0946e0847bbaa6a06eb58aead13fce22a8606e9b3744cd2241debdf8d8bae
SHA512 469c28b6da5b9499fd417f8cd74414d6c6edcbe6567eecc9421a69797a77ec323936deb96cd151611da57e311074ec0c56d82a9800d7aebac9538a947284ff9e

C:\Users\Admin\AppData\Local\Temp\nsi1CB5.tmp\ioSpecial.ini

MD5 d2219a992830960effff5916d0a091a5
SHA1 f74f74d42c1dbed14a68a94b3e94975efdd2f9fb
SHA256 31dcae9a11fff111e850a1003b9a7f09ab8333402a09dd6d21e1979d8acc0563
SHA512 2dec21269bb7c65f860c2f3d3b7f98a74ec018fc36f81c69fd510baaeb1db2100c56b648b76774ac21267300bf5da79825b9b0f7b2d6bf59338aa3a2a37980ff

\Users\Admin\AppData\Local\Temp\nsi1CB5.tmp\InstallerHelperPlugin.dll

MD5 60fce1b83b34bf296fae2075ac819bf1
SHA1 24c6d7e599cc4774bb480537cbd923ac24b66ee5
SHA256 c68aff5ea59e11e621d33e0f3bbd67e7331da1a44ca34045dd5daa3a5486ef11
SHA512 540ca4677a3445ef6873c35eeb9e30a1d67f788fdb1d425d820b5624e21854b80714cf0aa00761e086dbd9868d1af63f31583b94d760b907d307a1e6fc12599b

\Users\Admin\AppData\Local\Temp\nsi1CB5.tmp\Uninst.dll

MD5 68ffd98799c7122e62b296358b8c5faf
SHA1 b8da4b95fc4aaf2f6eff7dc8d0e2eef387c7927d
SHA256 6e0ab96043a172f9bf9e575b39eb459487d983281233228b387ccedfef9ce51f
SHA512 b96b7e9e2eb1c5c533ae0d9ac5ff9991b3565e83e13c2f109ef04438bf5d425aa878a9b13395d286dfcd3c1084ba584f1f5a90faa3d1bd825ce37ad59f5105a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03c76407f7047ee900b78bdc18fdcaa8_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\Uninst.dll

MD5 68ffd98799c7122e62b296358b8c5faf
SHA1 b8da4b95fc4aaf2f6eff7dc8d0e2eef387c7927d
SHA256 6e0ab96043a172f9bf9e575b39eb459487d983281233228b387ccedfef9ce51f
SHA512 b96b7e9e2eb1c5c533ae0d9ac5ff9991b3565e83e13c2f109ef04438bf5d425aa878a9b13395d286dfcd3c1084ba584f1f5a90faa3d1bd825ce37ad59f5105a7

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\InstallerHelperPlugin.dll

MD5 60fce1b83b34bf296fae2075ac819bf1
SHA1 24c6d7e599cc4774bb480537cbd923ac24b66ee5
SHA256 c68aff5ea59e11e621d33e0f3bbd67e7331da1a44ca34045dd5daa3a5486ef11
SHA512 540ca4677a3445ef6873c35eeb9e30a1d67f788fdb1d425d820b5624e21854b80714cf0aa00761e086dbd9868d1af63f31583b94d760b907d307a1e6fc12599b

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\ioSpecial.ini

MD5 c975b7d5f00cd4718ec5a9850c6e837d
SHA1 ddda849c8a8979e20e18d5db9e6018ee14726b1c
SHA256 0ee4efada4699cd55f49a1a8fa6ccfa41b4eaf46546681ce3e2384248cb93b9b
SHA512 9edf5eacf13cf198a6bac3d55ef688889420e0855d052154190bfb95580f75e44c08caa00785bf10a344a91bf637dc5e36b9ed05af792c3098b2e65df90a6e17

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\InstallOptions.dll

MD5 7e49eb67f1f3c62bb8c4b0a868b30645
SHA1 2be42e3c6059485bc3b624a537ab1fb36a10a263
SHA256 17f0946e0847bbaa6a06eb58aead13fce22a8606e9b3744cd2241debdf8d8bae
SHA512 469c28b6da5b9499fd417f8cd74414d6c6edcbe6567eecc9421a69797a77ec323936deb96cd151611da57e311074ec0c56d82a9800d7aebac9538a947284ff9e

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\ioSpecial.ini

MD5 3ec848ab8ecc92b211d92da7cac00b0d
SHA1 3ed330de6d38f24762e2cf4e634290c2811ce9cd
SHA256 a756e8112855cc13f7dc9017ea5e99ce88873e9b3fc42ce19c3854f04dcc3cd8
SHA512 68f7e9ee240b7970d3fff8e0360f121ea0aae52b83df34334f9353dbaa3b170aa379796275f19b4e8afd2ede6435818dc245376fda96bcc2ab501b78642937a6

C:\Users\Admin\AppData\Local\Temp\nso374D.tmp\ioSpecial.ini

MD5 ee9d5fdd3fc4cca873b86c4a301041da
SHA1 790369935289e2121fb26093a7e38ab04149e696
SHA256 d42a7fbe4f463f29283fc2287d27f81c8daeccc06cec4ca11c3561ca9c6d9231
SHA512 b7ccf0ddde23ce88bd5d0e8d794e86fde739ff4374e616a65a9e544d4ca7116adece3e788e45c0df128e8a13a7d04f201d87c5bd0ca8812469d6c6c4f6406aa3

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3760 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3760 wrote to memory of 3420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\BarSize = 2301000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ClsidExtension = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,204" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ClsidExtension = "{B6856926-5386-468f-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ButtonText = "SmartShopper - Compare product prices" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ButtonText = "SmartShopper - Compare travel rates" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\Smrt-Shpr.dll,203" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\ = "HbExternalLib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CLSID\ = "{8582F990-59BB-4846-B81F-6C25F0D9B70D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton\CLSID\ = "{B6856926-5386-468F-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ = "ILeftPane" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ = "ILeftPane" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\CurVer\ = "Smart-Shopper2.HbAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1\CLSID\ = "{8582F990-59BB-4846-B81F-6C25F0D9B70D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA.1\CLSID\ = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\ = "Smrt_Shpr 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand\CLSID\ = "{9BD56158-44D3-4C57-A4A3-3FBE94F19842}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA.1\ = "IEButtonA" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\ = "IBrowserAdapter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA\CLSID\ = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\CLSID\ = "{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2444 wrote to memory of 2192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$TEMP\Smrt-Shpr.dll

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240611-en

Max time kernel

119s

Max time network

135s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\cs\antiphishing\antiphishing.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425028077" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000001cde24717e4ce6ce98d8f73485a86f25531a216fa56aa7da08443e53ba0d2df9000000000e8000000002000020000000fe03ac465fa67f7b2e13708ac1cd9d1ae9a96bc77c3797e106ae05d69276792790000000fc70e3df6337ca35d7c8315b7191eb1ffba2c5a0d356059daaec7f671c0550e586b6cb77e295544faa336a5960f2cdf5e7a191c8cf27460faa51cf4f0e666a5f83befc68b191a712a9492766884393d3d3c51bd97a2e787702c97abe13ef719d0316d67ec0234a2fc397fce25809ade6c9d412fc53807643d61008f5a413ac4687a38c43cdf901ed5e1e1b3c87dc4604400000002f4e631eb57ce095bcfc004c3e1406ba2ca50f4f79bb6c00e05a9d3140bc47b7b8a732dd266c0d9cbe238e16c1e6d0d127df2160ab6670c573e070d7f5a69906 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{557358C1-2ED1-11EF-A1F0-7EE57A38E3C7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000000a64503c36fed80bf39474b1a2cc76bf821a66d30db18a495b2e4e45317f88df000000000e8000000002000020000000c3e1f560e1f8e8318f6ef1feb837ee6a39d90e8b6d23516bae13fb5c901450bd200000007bf95d7c22d958a525128b20446df3aac2b5d2ed0d1f01d7d09654f2dc344175400000002ebc6f643162e31871c2059e17748e5c686039101ecf53ef30abf55c1c0cd2097dcb1161c9587f1822c9c6e8de2d2f15074913be0de6bce6a5168445b8e20ce9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fdc02adec2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\cs\antiphishing\antiphishing.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab988B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9959.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aff2fd2d0b57c92c0ea295edcb1280e
SHA1 d5501de0f7890b6caa48a52a2430ff9abd274e5d
SHA256 b3480dd772a4e340dfc4fec25a7478fdb8e42a01629beed6c14a98425a6b4208
SHA512 93fbe864cc11bc48fcf76f8aa0edc16d993ed9ab59dbb0f0400d033a33123a0b6c606adc35deb213fda89c3bf3b6ae8d0b606caa08fa8e64a088e7fd1df4bc77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a34d309ca4e9ad70e68fff1bd4ab7f8e
SHA1 6e23e312ecf6bb10bbaeb66a88c96fe00248a4eb
SHA256 e5d4fedac57effb2f2ab9c0e635265d6d499cca37bf39055e0f93732cea8ce21
SHA512 6f4ee5ae01cbf1e704572266fe389e1f744803d744ed11745faca61ba0ea882fd522c2667bad63fdf169157c54d1a7e9c725c490aa3e664c91b53c59d6d31b5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54e2d2c8021a82a9761f94e03b6900a6
SHA1 f2292ce6d5895f3a51e7bfbfdbf49fbc95fdc6c2
SHA256 c2efc3494330ce5375f8a8e499a8f6cb64e42bea0279a130a23985f8c17ba309
SHA512 995c1749558be1796493aaf0b46e53ab00bc0f83a545b8bb881f558902664e84e63332c10f561d1f599fd84a8058f8cd21ae91b5f5540e6ca2cb6aa670f81fdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a2e764e3d9cad890d8b54fcadf1f2a3
SHA1 79293567ff42b79b81e49dd46e408e7fd759ca05
SHA256 e00758c053d138d1c617ac430c4e3fb50436acf941ec2ae6efa88975a6872092
SHA512 ceb1df6cf99ae5e7c1d339d950d339316340428c59383c04a116b92fafed6c3018237449413e13ab1582d2861620da211d7d0f9387f91571a6eeb9920c5ce5f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cd9194c97e512c80ddb82e481876be5
SHA1 4d5fab7b7a111db071697a70490fd94352fb9266
SHA256 cab36ffd342f4385b7437bfcc269589a00654431c228382984dafee2a02a6efa
SHA512 fca82b3b80044d20a7507241f33b3256fb29687223b05eac154bff043a9f6864c2ce31e24d87a38333744e66db5e4e234a4aba598a5af818af0c2bfb11463551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ab6e149c4820bff3769dada89cf21c5
SHA1 3d21e7c9f0ccfe7f8f2c12d39acaee14c095292b
SHA256 86d373ff60615cf6c3125d0bca7dbb6d0f63e42e67f6289fe04f8c98d3186cf6
SHA512 a440048d8aef37527515d037dfe063a189998fba32891cb319f89176527e8e5c4e9f6de1de2c79fb4854e95eb5be5baf34ca471441bda97d4ffffd9541a39d05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8313e553b358b65d47e03b675912c6b9
SHA1 c2dfb418b1a93dab1ceb91fa84b2c2ac4f2f6e01
SHA256 ae81f7459ac640aed4069a1e3182a41058c7f6c7afe8bc3cc056da9c0e56a144
SHA512 19314017d126186dad7800122da35718e628ded0063ccee46388ae7301e14b754f71e3496f6c6314d32b4ccc07900f2c40295c51d5adaddbbd7eb76f635ce47f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f64cf1f28b544062e03feb07866a5c8b
SHA1 59e8bfa8308cf6a420340e5a547cf631ac3d7608
SHA256 c389d42644e4f192892856b240950340b32c15327345a8529accbeda0c846193
SHA512 c4f28a9837d11174edfff707c0fa4585127ad421dc11970c5fb87b6d8b1af16553120a6907c9690301fb0579505586bd3932c90a65e114a68320d15c8ca61a8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d917fbc1f22f9ce25524781b0ffdc47
SHA1 7d359dc7707d3a339333bedf1543bbc6f601acf7
SHA256 0618215d1fdbd1dcb010966a90010673cdc0e27210f0c31bd9b580bd4f1260c8
SHA512 0cc286e2f4557f87e55242a22883b1ccf9a3ada981b2be52c694d35b06fb3316c89a97847c1dd5763124b0149b3696db541805695defc199d0e60be3bd8222c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb096b3aeff5a66ab800240ab9fa636f
SHA1 265f00ac535e83bd3020d3b8282615badcbb06e5
SHA256 6269301d81d87981aab6ada587dd8ec2b91a550719fe326a0691492a37bf5c9f
SHA512 92cb9c97d976689ae777a7ae8b691de8d4b561ba7fe01ecb0ec65b491a1cf4271e1dde5246b264ae53faaee7906b2e4f9ab2db65c63e9928adca6f4eb00f1c64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 189bfb09e2c868ec80ea1d92a65f7e15
SHA1 33353babb6e776786e4c27171aa20d012780dafb
SHA256 87bf5ec6affb38e0be38619c82496adcd7c11a1a64036b40498cb630645288cd
SHA512 637eade8f251c6ea42c5a24e397a5ae9210ccea8ab0eac624d96c054f0fa316ef9a11f6a095f5ded8d2691a1be6adbc298c6c9ddbdf977a7f7a16703997baa6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7250afd93d345d921f2d970e1ce46cc7
SHA1 ad757502f151a1924e64a1b294e343a89141830f
SHA256 7fbbd33ebada05ef3075c0abc98fb167e6e0186d79cb34e63d3acef8118f005a
SHA512 c8ba10d5596d5775e50988c56b043857d0cb1876fc9a2dcdc72a6007e32f1b5899b8d2018cef821630d995c618ae58f966dbcb4dae81b82d53ef60b2fb287145

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 583f79b3f00e1079c5ca2debd4d005fe
SHA1 3ecb0a637fe97a7fa9d320ed3a35192563ffedf6
SHA256 a12ce659d1840d52c5ea57307e1d2453a8d3a8c2f295f62dd8e5df94ae745c71
SHA512 2809e9e61f41fca01e0a8bfafb3da1eba3d299bb74b649e487c7b702a343ff5bdef4251a5c2378ac90e389877c315664b561c0f143dff9d028a54c550f089f55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9eb0aa18b9b9d7d23d3bc16bda2f863
SHA1 dcbc9d6b21d987cd1c2d9886d8eb59c6a2c08bd7
SHA256 f46b889ccd14495aedf34bbe67edf006d10f7496e9d3f29b110ac39bb17580f8
SHA512 29cf0adfeb174b051511a649fcc6bea3ffe29078a4b6538dcc1125c0ceed473a5089054987c04086390c3067ac3a49198b570a644454c4565cf1485e4eac9998

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab10f01245d71ef0865900b01277f482
SHA1 b0de29b673b2fb186165a4f3c67d09fe5dc03a6d
SHA256 5026d5f5c23013c3505d243fdfd44f64792937067233613d2c97d2e329103259
SHA512 981b82b7e5815bd4be93a565b46b9a0134b73d626e4daf9a03db485c9c7cc1116f03e57cd9dc165477e11fea22914331110a2f7b39e3e1a3f8bd92f780a613fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 753f931cde358b425fc8c265963aa488
SHA1 4cc8b475761bd4b24a2ffe42a3412ad2beaf32a4
SHA256 78915295bbc54e1942b1cdb22d400c4cec05ad7e272c5f5058ac79a26805c1db
SHA512 a1f5de79d36344b82f1d2f81ac94c0eee857fe89fb77d8f57200a8d04324ad87e7ae541c59e246e5bc7c9884e7cb430bf818d881fefa50cd4700e77d08b0ae2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78d1ebec460a6911cecd15d2dc4a5ebd
SHA1 d37495b0e89f3443944ffa1ab111b2e9346b3e86
SHA256 51f9ed5f40142d621e4b262ef9459beec681abbf6b7ae95a10c97819ce44acb2
SHA512 52dde768d7dd3e147de507e92d59661d0e949006d0dbf5f3d103659cfa592449a4a4bb6e873fef78dffa6856734a45cf62ce704b863e094edcce1e9e161d1353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b1492dab3358c036af47939d547a80f
SHA1 cc7973856b8e435907caa95c9384aff5acc927b6
SHA256 ecdbf78ef9ec27b9d64ca9c020d45529d84a3234a789b244c34d60f686bb546e
SHA512 1046da6f9d51090854b8fcd85daba94208a4d4a4f6e66ced38839033e4f3f36405f3d156521897318f66c29adabbec936b5817dad8092f6f755fbd311df8eb86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ba02bb6c9f31d9b95770a1991e65248
SHA1 d50d6768089c37917572984fd7ecf4ffcf05c583
SHA256 434e3b2a9a742409c599220ff678583d80288c08a5a41b1a3d663dc13ccb088a
SHA512 ec474c3118929d18ee29efdc0a287ca8c554e7397053d00473c55cfac091b2ad87260c689a5ff155da3f94079d0f250d832fd33f0b8166776af4c615592f3bfe

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1508 wrote to memory of 1904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 248

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1244 wrote to memory of 2252 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 636

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20231129-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerHelperPlugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe"

Signatures

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

164s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\BarSize = 2301000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ButtonText = "SmartShopper - Compare product prices" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,204" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,203" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ClsidExtension = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ = "SmartShopper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\ButtonText = "SmartShopper - Compare travel rates" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{3D773F1B-D2D2-4971-B3F4-73FCC894921C}\ClsidExtension = "{B6856926-5386-468f-B37D-685500A18D80}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{9BD56158-44D3-4C57-A4A3-3FBE94F19842} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{99819CC8-3111-410c-A2B7-38BB530386EE}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\VersionIndependentProgID\ = "Smart-Shopper2.IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\ = "HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButton.1\ = "IEButton" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\Implemented Categories\{00021493-0000-0000-C000-000000000046} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ = "ILeftPane" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\ = "HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\VersionIndependentProgID\ = "Smart-Shopper2.HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand.1\CLSID\ = "{9BD56158-44D3-4C57-A4A3-3FBE94F19842}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\TypeLib\ = "{75D461CC-D850-41DD-B62E-03F404D9AABC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ = "IHbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6856926-5386-468F-B37D-685500A18D80}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90BCC28B-B2BD-404B-8155-9778F422B9E3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8582F990-59BB-4846-B81F-6C25F0D9B70D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl.1\ = "Smart-Shopper2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7FEE85C3-8006-4B4C-B696-9856959E084F}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1\ = "IEButtonB" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.Smrt-ShprCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA.1\CLSID\ = "{256E31AC-AC24-4882-A875-3F87158D35E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{256E31AC-AC24-4882-A875-3F87158D35E2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bin\\2.7.21\\Smrt-Shpr.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA3D1B0-02C0-4625-93EC-27FB1EA98079}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\ = "IHbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbInfoBand\CLSID\ = "{9BD56158-44D3-4C57-A4A3-3FBE94F19842}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BD56158-44D3-4C57-A4A3-3FBE94F19842}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1277A995-C3E9-4EA1-8979-7CD377508533} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx.1\ = "HbAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB.1\CLSID\ = "{8582F990-59BB-4846-B81F-6C25F0D9B70D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8346A35D-E391-4C1E-82F8-8C163841189C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75D461CC-D850-41DD-B62E-03F404D9AABC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.HbAx.1\CLSID\ = "{7CDCB11E-588A-4079-BF00-CC3E77B59FF9}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CDCB11E-588A-4079-BF00-CC3E77B59FF9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonA.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Smart-Shopper2.IEButtonB\CurVer\ = "Smart-Shopper2.IEButtonB.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C12A7CA-C5FE-41FE-8F5B-88083F1E7CC0}\TypeLib\ = "{7FEE85C3-8006-4B4C-B696-9856959E084F}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1476 wrote to memory of 648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1476 wrote to memory of 648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bin\2.7.21\Smrt-Shpr.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Install.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2984 -ip 2984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1544 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Uninst.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe"

Signatures

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\UninstShprRprt.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-20 06:49

Reported

2024-06-20 06:52

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\cs\antiphishing\antiphishing.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 1660 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\cs\antiphishing\antiphishing.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff12b746f8,0x7fff12b74708,0x7fff12b74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6564141981929606811,3504297910759492048,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_2372_POLJAFTTNFKJDGWZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 51dce1920a47427efa27780a9c941338
SHA1 2ac0763158ba85e641dfe6748c0790d39cdd1666
SHA256 b686dda886921f8d1d3e7cfe204c467331d8387f910c07b7a392d20fd447450c
SHA512 7451afdd18612f523bb8eba8cc176427e6e72d327eb7c88ac16b4c405ee55d997727593bc4d339fbdf2f13c44690e9fcd9ce2d75773f80e10102ac6a031bb406

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 72440347b42b83cde4811c38e09a2b7f
SHA1 ccf6bc8ad92b42bc67e5c191ca9d68149b22ba31
SHA256 34dcb6cad41afa76cf293c225964e4640c3890bbe680e82b65c8b471ce8c1280
SHA512 126c9121c08e4013ec4ab9ad20bfc9c29c8cf496f7bbad41b0ed556c2602915e1c7111dd80423e3bf82e6d2a3f5db8bdb5d828d6de7c1d0c4094bc6f032e41af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f8ca0f1be650ea485c817a4c9be586f
SHA1 0fc6256bacbf133a97502c497f9c3878c538e56a
SHA256 6fb1a1788021d1319aaf94b5c9455275056ae43de90f0d00177e6baa2681ddc0
SHA512 676a9cf392a8453530734e8bd0b59b8f86c7f6fb085ce0d1b8119d71bca64a9aa3bb26859242aa567d149c1d8c46d5e71648e21249c313e65477e300c5da600e