Analysis Overview
SHA256
6de0400e2221a9022df70529f15054a465e6951ad2fc758ea6dc5732a5a8f4db
Threat Level: Shows suspicious behavior
The file 0444d43e941483a911b6571e8886cbcb_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies registry class
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 08:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0444d43e941483a911b6571e8886cbcb_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0444d43e941483a911b6571e8886cbcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0444d43e941483a911b6571e8886cbcb_JaffaCakes118.exe"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240220-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425033033" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106854b4e9c2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2d5562e27db73429e5d36a464446195000000000200000000001066000000010000200000008c275ea6eb1524955fa5c4cbe3b71100f414fdc51ab43051b5a03c69ee968e97000000000e800000000200002000000005c3c3a0c929c19f9838200552e269f3b96625dc84885ef84ae1e609136f3f92200000001e9087d89867fe99c05e06f3ddd9153c14fa1a6100475860feb99fb48ef4205840000000641325cd0e127de6723d1617c485de0f1eb9949be9570838b58f947a08a466450aa9d0c59444d54d1bf8aafde90f7835d6ae264a3d2bf99adac4d0f3a20d5928 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFBBEAA1-2EDC-11EF-8B56-EE69C2CE6029} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2d5562e27db73429e5d36a4644461950000000002000000000010660000000100002000000062fdd86aa105786be078befa520c1587884430a6c7186ce743e67f54fc581a06000000000e80000000020000200000002244c3fe36ad978b0bf2f32704c4fbd691d71d7364ad9cbd1e2be2ef89c443c090000000eeb1ec43c878d5e7a387fac6abd0a0c4a66cee2373fa1efb23954f4609fa0a193e1200d59e78f1978818707839815147b2a6b8f097c16e2f9e0597801ab8264a429c47e364566aa5fad031d4256bdfc4a710934f38209654295679fdfbccd0ef649ca638b5b09de3a1fed69dc824b5ab26f60d0ace6545308122eac832f1b1750f4ebacbbbe625aa9aee02823c73a1534000000015bda1116618ffcdb4f458fec92d51606440d46713277e530322ae97c00f95b617c50900055b67d366ec32577e9186f8d334c62d5f821315ce6f43d8bf706652 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 3044 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2184 wrote to memory of 3044 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2184 wrote to memory of 3044 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2184 wrote to memory of 3044 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2530.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2630.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd8a50f01c43f7ea63e6611da4b19a90 |
| SHA1 | 0e86e0f28bb1210a641431824a8e0d2ed730bc81 |
| SHA256 | 40b0ae3099a67c5c5194a14a68e3927a7162398ff21dc24fab5cf646b40788fa |
| SHA512 | 9a2e5973b5920fc05c1275c446f6bff33f6f6250f63312ae02e361d81bc1a7320785c6771137fff6376e8a05c700dec349d23ca097e012ba52f7eab16974bf49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b67baed8f6da1da2277979abcc66152f |
| SHA1 | 04a0d01a9077a06b61c2eba13da9c85eefec84bc |
| SHA256 | e71a3dc77680f925e572ef34ea8bcfcbbdad5bb789ed7e081312a57d9931ebd2 |
| SHA512 | 5bc6334076b6cea7a4168b3c0a28d7d698dc766df2d6b04edfc626b3be81d6b2045c5d607e395d790c5e57f687a678c73ad3ee1ce34b2fce2f43f4f1b9591a5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 728bfa757b4328fc65de79e9398c6b1c |
| SHA1 | 78e0bf05abdc1053fc6cdbdf7778d32548019f98 |
| SHA256 | e3b41c271a85dc48240baf629122d863b862c43bc930ef4226a8a6ac9adda7d4 |
| SHA512 | 0307833fe6769d43bc04f3c8906a1037ea767ca4635f85e6ff0b0cb279f8d8a038958867b77959f655b25a6230fce8ee77bde79b39b4fb80a423ec9e3ad3b9d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1fefd11dc65a427edc948fd6c6725551 |
| SHA1 | 0625a4f09498cb10eccda7f341822965a9b1b9e4 |
| SHA256 | 430e4c4a2991a3540e0db57b13ec4c55b7a8c8c5738a617191dae31582343113 |
| SHA512 | c580eb7e7edd5fd5878a8b6756ac0d4eff7432c4dfc55d2d2be399de10794e705b4feb7d1441ec9fb8d92232806eebb8f8ab55517376ec9e01652e9549f3bd7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2ff6db60483608d992323595495f13f |
| SHA1 | 11a4418fa0438f3f2143283df1aac8bd833637f1 |
| SHA256 | bc37c614ef03bcc31ff22f4068a92d932bf5a725b8c14580c4c780887c4f352b |
| SHA512 | ee81c65b48fbbf8e2b352f8ac7598e39c4a258818b232712460b148cf423ce3c8edf13dc820fa19d259c271870dec25e91fa5579b6c936eb8c43f90ca0ed41f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a29b98821b9a3dd8ffdf773b90dd7111 |
| SHA1 | 74ca5d4905b3a31d6405fbd610269e1a8e0daa01 |
| SHA256 | d00516ef8a369e2d67744771f917b77b87f5d6c9330261244b956a567103491a |
| SHA512 | 366c57254eef015b690d742e0a55b18cfc3d907ce7b346811257714dd095e32b5bed0913562821858c902809d7edda16f115170d61fe65b38a8faa567f7ce776 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2f1b50c6da34f126dfdcde52a7e1e12 |
| SHA1 | 4650754f3a660e1129b27ac479df5c413367ea0e |
| SHA256 | 66197d14d3e286963711284b05294bfc057214c9405c93a793a28aef861d6c5a |
| SHA512 | b257d2f016afbfa0792edec979a8f6a108f25e65fc699656b6c51d0cf892d421712c77e451222ed2e8a80711169bcc48410b35b80d4603d33da15e304e8d9272 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 279fec894bd2051df3ead7633e15dc2b |
| SHA1 | 3d5f99e4fb106e8ec55e68a1a2e74e43d888affd |
| SHA256 | 143a2ad99e9ef731fcf5336c024bca0dbc80978e1cba531a0f6212bdc6943b00 |
| SHA512 | a2f73d073696ab204ffc7363b74f15137a6e7fb751534879dcedaece6dad50c68b081f70c4cb5f6754a45d6f6b584f082431194f3970635906dd304ce16a5eb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | daff339d30a6ccd4eefa2faf0718b0a4 |
| SHA1 | 98ebf8a976b3857959e4208b3d5d67bb9a906dbc |
| SHA256 | 248907b8d73e4e4df26741578f4a31a80413da768b64635d900c8efa243677bf |
| SHA512 | 4fefb62fd7028b2090456196fe800b51f7a0d5130dba3a77004a66c00ae99729b15ff45fe3fa7ce6fd56f76d5813c2d8c5b8c2f7383cf489f8eee1c086b04bf1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c35700420c4f65d664528996b127a4ab |
| SHA1 | 3ea9bffd178934fd618c067db633917e1578f03a |
| SHA256 | fc44edf684bea403586318fe7a612ff4a7af5529f8e0171893bd9075ca08f041 |
| SHA512 | 092bdcb2e712c6a5ad71967434a57da049ede6d9bb57363787aa2783d2e305d2a1e7dd058ecf0951472b2f3c2f495f3645bf79a758f484e43d3ec818c5e60861 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e63d030464a97a6f7d0670927ed0a95a |
| SHA1 | 2d1837352ed83d0f9f6ff68c10ca552c323e25bf |
| SHA256 | d8e513a357606666d01877b1e51a785ddef0953ec8a948475609ec7163dcdcf5 |
| SHA512 | 08cf232c2b827161a6a3f7371a2f2e533499d68f89ac4c3634f853036a8d9cdc807f007bb389f1731a513cf90d4eddc62d8aa024aba4e4f1cf0853c3af972e8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d0a61420988b97dc982bcccea396949 |
| SHA1 | cad25d873bfeef13e3f32c23812d834b801d1743 |
| SHA256 | dc95e9b8b74fa20e79923d3aff6cfe8854d2566c4682e1c08623abc0e3707c53 |
| SHA512 | 3b54304f87815c681ccbba86e9bc3e60abd6eac54ea7f1a94ad7c3a4c6f28293153c8d3cc0b23c6e821b526a7e239b7933b2a196883884c4f530b6ca947c7615 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adf64b4949f0a7a32460faa5a2c06599 |
| SHA1 | cd7a88017b31ea0235ba6161de057223d36473ae |
| SHA256 | a0cdc055a93e63d504f6264797baac5d409a6087b970da67a59fe3e96002e8e3 |
| SHA512 | c6926e582cfbc156d7d691cee8843617839b4f768d1cccd4e41c1bf125846d5c64dd9dfc1154e11d76e8c191891a823fa689dc990d3d2d383269288737cdc80f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af5a2eef747c8ae888a9ca6cf7963f53 |
| SHA1 | 66c3950aaff070a9a194420faa716c8a568aaa69 |
| SHA256 | cab64ab32a1adacbf9d230830791e5496fc58fbb7e2b16ee0ed6c1295bbe8514 |
| SHA512 | 6c89e1d8fd2e92375b654e7256885312193922c3f0ac0d5d393258f8d45bd8fc66858b4e86de2a8d480b00a34efc6fe37dd6943ca3320d30fdbe4af2c30e8135 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95528c77e74beda875ff00d036bf71d5 |
| SHA1 | e54f07df474a5720435a42eafdfe75640de69183 |
| SHA256 | d6813f0c03e2d0e6b5b49b6104bc02fa43df843ab86ae3d45265d0a5e691df86 |
| SHA512 | 3c1b4c84409143f7c0ddf33727802a0a74d437370d9b12cd79e279a1cc8bcea0fe1085a4c059bad0fd21c3a2d601eb3978a6481c408e2c09741e335b6d918816 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb2e1736401d98a1fe6fa8ee1a57f378 |
| SHA1 | dd136df12599a9e7850efe863fa5f21ce2ce31f4 |
| SHA256 | fea4267d255465e4635f9b92ae8dfc24785d504da3f0dac501ef7e8a05e1e74b |
| SHA512 | 12d55be49a0b43ee68eca39086817b6835d1e36fea931510cb0b3912533b0ca21f65c4eff0d44a51ca216326217fcced00d12619765ce2f61a8e50aeab534748 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3298dc42ec8aa1aa44b45f78923c6125 |
| SHA1 | 0f3b72e7e6454337486da38f5e0ce350987d1b77 |
| SHA256 | bffde761a7ce319a9766b6cc96650456e51bd0a786d33b54eea9efb44c0f2b6c |
| SHA512 | 840a7180b1e6291bc5f7dbf0c5eac8a309b86c60a7828fdcd936570c17478b948066afdc82ac82579a2978403b6a76efd1bd8fd64358170a3d2b7695c1f64f47 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 711cda7aa1d2b6358fbb1af108946f7e |
| SHA1 | 096382d87a0bb0d7c1bca3bdffa120de908ecc96 |
| SHA256 | 993d681af056aa92201617dffa159f3602dc75fe2d842bb54684c1075956cf1f |
| SHA512 | 100b7b6defa7791b1fd0550b3daabc0a1df1ee82ba0318ae8adf31a3c679193975689b93629f1bf9abe4547621a4b2985c335281f0c164954773dd2250948dd4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4ef738e5a581533591626c5b945a3b8 |
| SHA1 | ad333b382840b15292772bdf6a87e2dd78fe3338 |
| SHA256 | 38bc41e06773135c8529eb27e12953c65e920065e17c3628d3b15fbbcd4fdd81 |
| SHA512 | 9b88c9e61417de979a2c079516cdd52871a9f22d6f3c1edf5f44c50c3a3ff180da8fb0f15dcaa96f736d4a06539635005eff42d55c23e1397307e73ebfee9355 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
140s
Command Line
Signatures
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\options.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4160,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=1308,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5316,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5460,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5472,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5876,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5812,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5556,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 2.20.12.101:443 | bzib.nelreports.net | tcp |
| SE | 23.32.85.199:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.85.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.253.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.253.64:443 | wcpstatic.microsoft.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 152.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\toolbar_id = "{323E00E5-B49B-42a8-9048-D3DA974D5716}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\TBShow = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\updateXML = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\TBSB09293\Toolbar\firstTime = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID\ = "Toolbar3.TBSB09293.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2200 wrote to memory of 1612 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll
Network
Files
memory/1612-13-0x0000000000A00000-0x0000000000A53000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\0444d43e941483a911b6571e8886cbcb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0444d43e941483a911b6571e8886cbcb_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
129s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\update.exe | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\version.txt | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\options.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\updateXML = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\firstTime = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\toolbar_id = "{2EBA7019-83B7-4550-BA3C-0F6505E80E24}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\TBShow = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1152 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1152 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1152 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll
| MD5 | 0f1846b9162b08ba83b187f8b812882a |
| SHA1 | 3bb577471354017b5c8f6ff1f5159801000110e8 |
| SHA256 | 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f |
| SHA512 | ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0 |
C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml
| MD5 | ddd7fcc20dd29eed331b186b5ca2889d |
| SHA1 | f7890c5e84f74890bd36dfac8d6f6912e68bf60e |
| SHA256 | c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5 |
| SHA512 | b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2 |
C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc
| MD5 | ec3733d5ea6c6404204c5bbaae9210e1 |
| SHA1 | 6b70c10e79e29904fee05a76b3852ed4e437fb25 |
| SHA256 | 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903 |
| SHA512 | 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54 |
C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp
| MD5 | 0540c76a162cf8aea5b333a6e183bdbc |
| SHA1 | 10650aed77cafd0e0e10a98a67343157abe93652 |
| SHA256 | 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0 |
| SHA512 | 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4 |
C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp
| MD5 | ecf6053084c253b4ecb999b77fd5e7fb |
| SHA1 | fe7359187bd92e1e9312789a7c9ca1df08947c26 |
| SHA256 | 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105 |
| SHA512 | 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f |
C:\Program Files (x86)\DosPop\DospopToolbar\options.html
| MD5 | adc6e16ce6e97bd1eb19d3a8dad7274f |
| SHA1 | 12b55eab3225b2250ba051803f7d791db59a46a1 |
| SHA256 | 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b |
| SHA512 | 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103 |
C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html
| MD5 | 2caff3519f5be538757c467d4fec4756 |
| SHA1 | 7e77344f049d9ee4d216b6f412c01ba28596773c |
| SHA256 | e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415 |
| SHA512 | 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467 |
C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html
| MD5 | 0bf3de7de6f6a9ece7674fb245c7e428 |
| SHA1 | a71d601820676d5741734e825c7347d59570bc98 |
| SHA256 | 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b |
| SHA512 | 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2 |
C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js
| MD5 | b734be75b8963660abfa7412095c7a82 |
| SHA1 | 6091ffb358b2596d53f4e74e09da01326258dce8 |
| SHA256 | 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5 |
| SHA512 | 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68 |
C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp
| MD5 | de7f84d3713c0e55ee2f584345647504 |
| SHA1 | 8903bf45c1993fc2df3313e89971b4cba2ba9239 |
| SHA256 | 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884 |
| SHA512 | 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193 |
C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe
| MD5 | 652d9d1fc071f90c3e0adb8d79d7ade2 |
| SHA1 | b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a |
| SHA256 | 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891 |
| SHA512 | 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae |
C:\Program Files (x86)\DosPop\DospopToolbar\update.exe
| MD5 | c050609bcf90684099902c043661e739 |
| SHA1 | e471468f128e3f8899d53f54f0fd64561a297210 |
| SHA256 | 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8 |
| SHA512 | 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846 |
C:\Program Files (x86)\DosPop\DospopToolbar\version.txt
| MD5 | f1610ba6a619c1703c4dd4ea1c8d71e5 |
| SHA1 | 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81 |
| SHA256 | 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666 |
| SHA512 | de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e |
C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll
| MD5 | 8285d06c80bb289d22d7c67c4df2d51c |
| SHA1 | 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f |
| SHA256 | d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29 |
| SHA512 | 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775 |
memory/2832-44-0x0000000000840000-0x0000000000893000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\firstTime = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\updateXML = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\TBShow = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\TBSB09293\Toolbar\toolbar_id = "{9E765C9C-D34F-419c-9D52-C4555EA5E83D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID\ = "Toolbar3.TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\dospop.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 1808 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3008 wrote to memory of 1808 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3008 wrote to memory of 1808 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tbu03852\dospop.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1808-13-0x0000000000B70000-0x0000000000BC3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf5cf46f8,0x7ffbf5cf4708,0x7ffbf5cf4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12395452951799545701,2336454748640196319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3a09f853479af373691d131247040276 |
| SHA1 | 1b6f098e04da87e9cf2d3284943ec2144f36ac04 |
| SHA256 | a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f |
| SHA512 | 341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016 |
\??\pipe\LOCAL\crashpad_1660_HJQVKLWRVGDLWMKL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9081c34e133c32d02f593df88f047a |
| SHA1 | a0da007c14fd0591091924edc44bee90456700c6 |
| SHA256 | c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e |
| SHA512 | 12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ea54f5eccf4b7a706e5436e596065fa1 |
| SHA1 | 2d214f5e0f760b1f927acf5bc25951354e10d0f5 |
| SHA256 | 17329548d93d008de73573fddf2eb2693871abfd5b9fb9a0700500843594ac07 |
| SHA512 | 0a49e9b76fe38706c8bcc3fceb86960137b2eb149728128596f5c5b183d994f041b105de58d9dc8100c4b0d036488f545f028ddb2b138b8376c540179261672c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a434dd148b7163f59f31a5df18ae3dce |
| SHA1 | b40692fd799e9e0544da32dc9958507704966249 |
| SHA256 | c7d6bc2d5cb3ace8a0726e12cd7a2dfc74f33aba47b87ae745803d6cf8cabe1e |
| SHA512 | 3676101d6840ba37888eedd4cd345f22740c56259296397be1268f9e3e60c7b6be8198f34f573a06ca61bd9a11b26774b189acfd65625cf3ed8fa829c70fa9bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ef0b4632e6da2bb80199cd37975003b3 |
| SHA1 | 91e65b557788475ec07c900ebf5157292b3d2e09 |
| SHA256 | 8bc26387bf3090d2b0ff240ff7545892621d3e715a2a436e6cd60090e88ef462 |
| SHA512 | 49217b77d14ec42bb2ef53585441e6ce77aa4a5c392b3626ba6db894acbe535d35a4523276b42e82fedbedd1d1f2b7c1adae559390537e4eb390b886a9731172 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1740 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 6eba6762b7e34e64b0706343881c3d38 |
| SHA1 | 60fd6c08a79f436e98948477506a249458213780 |
| SHA256 | 63436d40a030822afc784bcc6a773bb3281c1e0d6aa1f3ae8af79c24efe76a5a |
| SHA512 | df409271beb074834a4f0ba1ab1990463bc86bb01c439adde0e4fde625c805f7b0d5b2c85aa89c03989dcc1a7d23dcbbec9c3f6b171652c595c7af923df96983 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240508-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000043eed2cce0f44617115e49121311fe7f46f1d1db0e0ea3f3617e93b907c89b4e000000000e80000000020000200000004c6173e6bc917753617951cdf0a036b68995f99835e5e74243bfdeb2a2d84923200000004e48d54282da6f72efacf2b1d9e937c3a1418429d10ce793a9fa9b89220d35aa4000000075d4b3121d6ff2782d8fb0346bed0a39ea5bdeb6197679056173fb33069820961216185fbe8981b87437093ea3571d7feaa99c65d0e98a873f0ac669401be07c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1993DF1-2EDC-11EF-A233-7678A7DAE141} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000011ee3c92a8556f5482d751eed98c3c82106b06ae3004f2d32984d8ab47ce4ebe000000000e800000000200002000000039aba21f1b6d983159f45318c83456dbbeaab0c0734abbfbe295b51f1fde31159000000086c10762f430e966db6edeab51b181359115be1089269a06f0ec12b54c6426d0baa56fb87bbb80eb53a43927bccd9e3661e065ca3e10cf747e3110f6732e8cf438a08262116b3ca19bb253eb564b2ca8493328c11854e6c6f01d11160fdc5fb1007faec095731e0fc10a0e3cf3fa8ca86dc3b272b4f7e4458240ed03ca4f7a0d186d27a3b15ef63116d7e4f19ccfcda740000000a437b3c90958905b3c08425dc23a9d78f6b5cff0611df6feeed822db06080f42df9a8c4a3234e0341e4bcd69b1f735a713a646d426429eff89d59b3fd1620e39 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425033058" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30411db6e9c2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2012 wrote to memory of 1676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2012 wrote to memory of 1676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2012 wrote to memory of 1676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2012 wrote to memory of 1676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_img.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\update.exe | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\options.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\version.txt | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| File created | C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\toolbar_version = "DosPop Toolbar 1.37" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\updateXML = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\toolbar_id = "{86D9AB6B-9E8B-45a5-AB29-F1762D0DC7A2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\firstTime = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\TBShow = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar\CurrentLayout = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BFB5F154-9212-46F3-B547-AC6106030A54} = 00 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\TBSB09293\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID\ = "{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\ = "IPosBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.IEToolbar.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ = "IToolbarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\InprocServer32\ = "C:\\Program Files (x86)\\DosPop\\DospopToolbar\\dospop.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\ = "DosPop Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\ = "Toolbar3 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\VersionIndependentProgID\ = "TBSB09293.IEToolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293.3\CLSID\ = "{BFB5F154-9212-46F3-B547-AC6106030A54}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB09293.1\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ = "TBSB09293 Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.TBSB09293\CurVer\ = "TBSB09293.TBSB09293.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\TypeLib\ = "{77AA25E8-6083-4949-A831-9CB11861DC10}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24BBB29A-FB7B-425B-822D-15D0B861E99B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB09293.IEToolbar\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFB5F154-9212-46F3-B547-AC6106030A54}\ProgID\ = "TBSB09293.TBSB09293.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B75CF7AE-80B0-45C3-BA27-BABC08484319} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2236 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\dospop.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll"
Network
Files
C:\Program Files (x86)\DosPop\DospopToolbar\dospop.dll
| MD5 | 0f1846b9162b08ba83b187f8b812882a |
| SHA1 | 3bb577471354017b5c8f6ff1f5159801000110e8 |
| SHA256 | 0c647f88a0f7f7d6ea9796bd7b0401b6359edeb21060c26b911dcfdfc874b37f |
| SHA512 | ebacf6356894c8159d6ce0a3a4aac973b09ad6e80751f0edfda004e1df5cc2221f9967d1eff0cb59a3acfbede05e92ddd20b1dc095b2db65ca5c3eb278b9e5c0 |
C:\Program Files (x86)\DosPop\DospopToolbar\basis.xml
| MD5 | ddd7fcc20dd29eed331b186b5ca2889d |
| SHA1 | f7890c5e84f74890bd36dfac8d6f6912e68bf60e |
| SHA256 | c0d0a01a21c19475a5be0b5552e992520da735d86e6a40688b26735d4a7490b5 |
| SHA512 | b3b8ead777be600f59218d988c80b752a30587f1d298900f97beb32966fde18f72158eae3a0da6be6aaf4b5fb3ba4603cf36a99fe79fbd3bab38e8110c8061b2 |
C:\Program Files (x86)\DosPop\DospopToolbar\dospop.crc
| MD5 | ec3733d5ea6c6404204c5bbaae9210e1 |
| SHA1 | 6b70c10e79e29904fee05a76b3852ed4e437fb25 |
| SHA256 | 194c4acf404911afcd0f563659ffcc45f33f249e0e41e8681cc15308d0132903 |
| SHA512 | 3d419529e187c6c93d46e7216cdfe6710f77ba575a0fb42b57efedcc6a41261056bfda1ce17bbb85e9619931d420fb1e111748e6d8359d5b9776f1adaea0cb54 |
C:\Program Files (x86)\DosPop\DospopToolbar\icons.bmp
| MD5 | 0540c76a162cf8aea5b333a6e183bdbc |
| SHA1 | 10650aed77cafd0e0e10a98a67343157abe93652 |
| SHA256 | 6f00271baba262330950c748e67f41f0d2c98d5e0a5ef7cf099d864d7d9891c0 |
| SHA512 | 7acbe3537f07ef6dc4a2dff809b8cc74edbf7d02ee4a75d0f399725d2dda28c5fa1f407495a23301f322e1655cfef83271be05e8062aab022538fddd6b001ee4 |
C:\Program Files (x86)\DosPop\DospopToolbar\logo16.bmp
| MD5 | ecf6053084c253b4ecb999b77fd5e7fb |
| SHA1 | fe7359187bd92e1e9312789a7c9ca1df08947c26 |
| SHA256 | 4d502980795f580774e0904c22cef73aaf81eef9858e67e05d0ef10b74c62105 |
| SHA512 | 7a86d529bf6eca3daaa428fbc7d0dbac20cf30261f2ab1495532cf52087209eb712734fa90d23e063bb3a8e833d90c827fc920cc6785fc19951b5c883fa93f3f |
C:\Program Files (x86)\DosPop\DospopToolbar\options.html
| MD5 | adc6e16ce6e97bd1eb19d3a8dad7274f |
| SHA1 | 12b55eab3225b2250ba051803f7d791db59a46a1 |
| SHA256 | 29e525a91d8ac4ec6bb2fa299a404d9f151b45400c7cab09675a23469373435b |
| SHA512 | 2c4bc233ae8741fe0a6995845aa88d707b347cfc78745fefac346ce27ddd5b799dd374bbba15516f6e61348f52720be3639cf0cd925a599250a9947a33ab7103 |
C:\Program Files (x86)\DosPop\DospopToolbar\static_img.html
| MD5 | 2caff3519f5be538757c467d4fec4756 |
| SHA1 | 7e77344f049d9ee4d216b6f412c01ba28596773c |
| SHA256 | e94503ad0ea2a4f7002ba70f57e12da9daabb5037b6bedc7725d1fc43a487415 |
| SHA512 | 029814dd117053d03acc6c0cb1af2802256149c6a3588cd41334deeffad6095dc16386887e2053f288b13a5ebd3599cbf9c55c194fde81f3df77045d2609a467 |
C:\Program Files (x86)\DosPop\DospopToolbar\static_pub.html
| MD5 | 0bf3de7de6f6a9ece7674fb245c7e428 |
| SHA1 | a71d601820676d5741734e825c7347d59570bc98 |
| SHA256 | 29101ddb9fc880b921c78a8aa0952310ccf0fe4eb03479425500fc2e779d4b2b |
| SHA512 | 30dc0cf67d772a79dec244882f24c4a6ad71a3139b1b92d6e059f1e677ef138596e71c7bf12c2283b591ad64744b9abd15895fa29c4a600f64c784423bc270b2 |
C:\Program Files (x86)\DosPop\DospopToolbar\tbs_include_script_008091.js
| MD5 | b734be75b8963660abfa7412095c7a82 |
| SHA1 | 6091ffb358b2596d53f4e74e09da01326258dce8 |
| SHA256 | 078d1eadf0733de055e1ca4ff03bdab7203a66823e9cb4d5a8539d84276759a5 |
| SHA512 | 1bd848ab95724bf8b7c6dc2e91a066a85c0d6239c16c3e548cfaa7a6e57c62e432b820b7503e998bc205d9153ec28c7e590610b8f4481e28b2ef6df35f14cf68 |
C:\Program Files (x86)\DosPop\DospopToolbar\toolbar-logo-dospop.bmp
| MD5 | de7f84d3713c0e55ee2f584345647504 |
| SHA1 | 8903bf45c1993fc2df3313e89971b4cba2ba9239 |
| SHA256 | 759282b69a5a1c30a01e0ef7c19a2eb59955e33f0caa0b066e418ef54f5c5884 |
| SHA512 | 96c820d6caf2385faf18aaeaffe743846e158b1e2eabdeb53ec9dafda3fa86ee30f070f7c8e65bd1a0325e6d6fffcfafec175dad07f0dee0f6fcb2660133a193 |
C:\Program Files (x86)\DosPop\DospopToolbar\uninstall.exe
| MD5 | 652d9d1fc071f90c3e0adb8d79d7ade2 |
| SHA1 | b63b34d5b3f2d5b75b0b5ff3290752ae1cf3a68a |
| SHA256 | 7c30673fde7090d6f74623d9bf99e1b2f9661ec94d21d3c2ffb80e1c56d60891 |
| SHA512 | 410d3c2ce92e5db4c12c46d399e88dac97be784f2b50946e40ba1689a524542e6220864d35d625c3cbb104e20ee351362dbb100423224d319fa62add5c3fa1ae |
C:\Program Files (x86)\DosPop\DospopToolbar\version.txt
| MD5 | f1610ba6a619c1703c4dd4ea1c8d71e5 |
| SHA1 | 539d1b8b903d98bd9abaf232b4c2f370ac1e9e81 |
| SHA256 | 0f85f776d85b5ee164a43c166dab525625655bd42b6c0503fa8d36fb702df666 |
| SHA512 | de5058badc73c1e267e24d7cd18e2c1207337d78185bcd17c4e1ab1131e30f4df5c051cceb748966fd4a8a6b8b2f1d11e2ced29bf5c5ca8404e3f5da5d2d438e |
C:\Program Files (x86)\DosPop\DospopToolbar\update.exe
| MD5 | c050609bcf90684099902c043661e739 |
| SHA1 | e471468f128e3f8899d53f54f0fd64561a297210 |
| SHA256 | 3751b8982c25d16aee9bc7dd5e22c83f323c8c68780012773612778f20279af8 |
| SHA512 | 2e199a074fbef486518949bd57da18b7b221eb1d9d391c30d7ee73817e2d514438d25ed46f2ab68f79f0645013df5fd35100eebc805bea3830aa7b1cfb8d9846 |
C:\Program Files (x86)\DosPop\DospopToolbar\tbhelper.dll
| MD5 | 8285d06c80bb289d22d7c67c4df2d51c |
| SHA1 | 0aa83342fd5d23de18fb5da4c4405ddc5b13d75f |
| SHA256 | d5df73f377bb5113a5e1c4f7872db6ec4753568a1dadf8d5d09798ac9038ad29 |
| SHA512 | 8de26c47bbcf0ea1dcab869ac21eb6d13751a913903a179fbd3ad8f30f0429b15c60af53c68b2661a7adb34a310ba7d91281da34f0ddfe595c409e11c0f34775 |
memory/2668-43-0x0000000000310000-0x0000000000363000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4716 wrote to memory of 1060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4716 wrote to memory of 1060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4716 wrote to memory of 1060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 107.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240611-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID\ = "URLSearchHook.ToolbarURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ThreadingModel = "both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tbu03852\\tbhelper.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2440 wrote to memory of 2556 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\tbu03852\tbhelper.dll
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240611-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe
"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe
"C:\Users\Admin\AppData\Local\Temp\tbu03852\update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
124s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2552 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2552 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 2552 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 6eba6762b7e34e64b0706343881c3d38 |
| SHA1 | 60fd6c08a79f436e98948477506a249458213780 |
| SHA256 | 63436d40a030822afc784bcc6a773bb3281c1e0d6aa1f3ae8af79c24efe76a5a |
| SHA512 | df409271beb074834a4f0ba1ab1990463bc86bb01c439adde0e4fde625c805f7b0d5b2c85aa89c03989dcc1a7d23dcbbec9c3f6b171652c595c7af923df96983 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr" /S
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4788 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20231129-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFC01121-2EDC-11EF-B69B-6AA5205CD920} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab3371ce849ae74a951bd03f2a89f5f400000000020000000000106600000001000020000000b0f8d085d53978a7cdb0f5bcfac20d2b5db75b5722affe5f20e7aec381048417000000000e800000000200002000000024d296a58b67233e8b1482645a01453501c98cb3b3036a734f23454bf306f43c2000000074be31b37f157b79ccef5a89bddf95b0b05d99d66d7d497d6cf7a94f72748f1d40000000ad6736e20b99e0c021f221943d5a3c600590c9af2c762a23a5d170b8a06997ef29fed7476f45a679475c31b7d29b0800f1035c3a5680a9c58c1427c9d16bf2b0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a73fb4e9c2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab3371ce849ae74a951bd03f2a89f5f4000000000200000000001066000000010000200000008a646c01648fc70ed3febb8da28039d581bd55042a6fa68c04ffb63596d7a42d000000000e8000000002000020000000e11b0316828340361f2beab27e2111cbfd971b26a8e6cd3db36350c93255cc65900000006af8d82d906feb8e7a1e936c2210be7d1f74e904e34cb83ab1f7e0ae92ef864d3ef5e9fba6dfcbecd58f0539706a4c4238f3e8b12bf89e6d083240ce920a8dfd635434efd569181cded9b80a97c08fb808d3c14779c1173664813e89ba078e7d886fc4441f2a6995ff1f08cf2a2376fbf4b1b7b46b80e0d955cdbe563d13cb6f35e154073c4f91430418557d7ff79b304000000065ab0f7e8cf52dd70317ee7b631def8f9b469c1572f8b032a678e5796264d4ac34e96c4d22915c3982eb44407875649469b5edf68b37eb620b41ff1a26c599be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425033033" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1920 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1920 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1920 wrote to memory of 2932 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.62.61.152:80 | www.bing.com | tcp |
| NL | 23.62.61.152:80 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2627.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar27B2.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a4dadcd8494780d9d549eae15b3fdfc |
| SHA1 | b14acd208b9fe3cd2dcd5f0f819b0e2b52b244b2 |
| SHA256 | f7d99219ab05dab47499f8a02a26a070d7ad1f74aeb1f5e5918d494935801edc |
| SHA512 | 7dc2d57aa945b73ec0569d05e48a4026014b06d91111c9c2dcaad942bd5986629e578992e1e35cff8aa489d570a1918fe92ced349a82e320e87057ae9cdb98a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 9a3a12f57e931e288807cb70ce819e1a |
| SHA1 | 9f49e9685d0c1cfa146b4adbf7d0acfecb4aef50 |
| SHA256 | 07d90ee6ba10c156652c3ae4bf517618449acc8bb21c3ef38ad702e688a79814 |
| SHA512 | a25026d369379dbfd922c2badc3f7aacb426f0cf6633cbce3e1d55cd4f9e4289d69374e677ce527063a0488ecb0caedcba30376dc4aebcc80e899cbf86a11040 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5c3274d7377cb0e3d3bd2f06fa183c5 |
| SHA1 | fd17f874d6c81521c3fa3993235fc7acfb066f35 |
| SHA256 | b2ae12f2d631398b84798aebd01f39d3341c6350053999d35f04cb5d0461debc |
| SHA512 | ed35307b6e775b1319e7b9e797acd08cfa123f82348490ef52380f55fe8b011df540e9d72b13f9efb9236f199214e09e6677fb7b242a265bf8faf3c2be65b5ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e77636712b4aca880a4f5081781fbeba |
| SHA1 | f328b23800e82415495c5b4a9cf1f42347a6a90a |
| SHA256 | 6ee19c46978217bd2da69d583f55a22cd3c9f23677d444ac7c6b04f8a4f4e8b6 |
| SHA512 | 630fafc7fe8ef0b1147c60ed31585a0de54812acdf47bdf1b0fdc1d242fb17b769ad6e1464d38cba040641f365a077e8c688e48993b657d93678b9ce4b6666e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 858b478c5d783bb1e0f33804eb19725a |
| SHA1 | 402d8fd9dd0cc49764cafed47dc2528cc5568299 |
| SHA256 | 1cf7b7aa143fcc74779028537f1dc3ee9064dc88fb6b05fd043a02821d6f4b2a |
| SHA512 | f71650784bd5f8b35f1107542baa4560ac328d9e372dba35274a19deb86e3d4e651dac55ef5df832a16aa3e8d0a3720d17c4ba35c0104fe5fedc4e024954dfe9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84e55afa14632c8fa8208ed3bfcefde3 |
| SHA1 | 23e9dda01beafa1443242d8b98c04679cb4b80b2 |
| SHA256 | 81e97c989110c30933132ef9726e65609d9cb7fe0b16219772fb08fd0ae3235f |
| SHA512 | ee47b4454f8995ddf5b664cc7ee7712efa8735a532e52f8070f2f95b74805f73b3841d1f871b4adda0c90eb06cd8bc84162b68b917f4f1ba70b250c1abbfdbfd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 7a33522704dbeffe335fdb92da51734c |
| SHA1 | c2559eb767927ab3f92c772bd5d885c55a25cc4d |
| SHA256 | 4ed983ddf3f7dfe4f9d428a177922721858283fd5858d4761a9b0bff47b31a84 |
| SHA512 | 9fef5970d4be9cd0d109108b13f5c517bce070ea6a25a70bfaa4263dcdaf074c9f740a6c565e8cf6e9a6191d31abaa05fb3dcfda6dc52f6051898732ef7eb1e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 296bda1ef3cb3723ae66161f1df505b2 |
| SHA1 | 09a1739d137152649b52fd4561b598aa0e777bfe |
| SHA256 | 6001e00631eec243e17142abe2d708484ab16ea0cfff0c783acbde503e8e30a4 |
| SHA512 | e5018f468dc27d87d8c271c732a06b420635881fbe294b26ebf7346eb4ff1e6119b45dbf0236677e94286552c5fbfd79258c76254376e78c69e6516c716497ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96a1b14cb7a25d96be8dc7eefbccdcb8 |
| SHA1 | a35bd629293471d4e182da60081c5076135b8b6e |
| SHA256 | ea0548a601b750f56cf1e63435b11c0792ff853bff51c60b84c84407e19a6546 |
| SHA512 | 03782e67791206ea973157fc9cf76a778a8b77d52dd33158f1cfe88ef5f38984375c45e41dc46e4a4099fd76452763fc75390b184091c1fbfd53838edfebafa6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed4afe2b7c25f048de11993446b61e79 |
| SHA1 | 5a5db57dbe373f04c7dcc4cdcf4af05f80f63b39 |
| SHA256 | fbdcbcbe5c7a386827f06dce8dcd802edae4db24bdde1d87bd092d02524acece |
| SHA512 | 5b1744adc2a555040e9b3d8aae7e9e98fa5b8b2a26af117e1716760169861bf8dcb0d868a19d1048d608ccd10c85ab10348001a4e82c3e8ddac6ecdf50e046ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2169841d70f2900950a0e92029e0a2b3 |
| SHA1 | 4d9d3f691df39374648217d87dcbcdf85dc55a0e |
| SHA256 | 441b32fb127dd770bfcddb6ac232b7dda032046b9d34608b3a08a104ae141173 |
| SHA512 | 4937384023fa039294ccce4b82960b09a0da4c3b1fffba54623114da2732e27b201f343c5736c1b1c20237ab97287d72c1e503ea3c1d63e27a2779dbadff1c8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a05e91a5d639ea4fc8aedecdfbd3cc84 |
| SHA1 | c5e56570fa8afe99126cac3965e1e046c2e615d6 |
| SHA256 | ecb618a5eedf8a77f7caedada5dae410d3ab09b165ed92e587e11c3b686fa091 |
| SHA512 | 9124e29439916d3a58663fd651c90ecb2903bc5b34d62391e00721647f604607e63f664be46e4c13d50f5b41c67000cb8cbefa5d9819a04c1d7957a14f7719e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9b0e7ccb54df3cb908d01203ca9e6f8 |
| SHA1 | 72a33d63d0073fde500584544fcfbfc8b2731b80 |
| SHA256 | edf8c400b9d21780d3bf1ff8d470655c551d92056f14027aff5d862b10322bf5 |
| SHA512 | ebd9d4a92dbd6fe7e5e56ef7f5f8cead67da8f185c7f62773f3d1b3c5104fed9f63fa4cc2decb4765ea6608dc59e250ccaf65de31e06551a303cebc6ae265ed1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27f295a46972df1b0347c1cfad866979 |
| SHA1 | 786770ec6dcae2b810f9d246d4d9c02c2c747893 |
| SHA256 | 9a2a2a9fdf41b1567da9ccf345706fa453cb413dd94af3ec832842ae000cfb09 |
| SHA512 | 2389a72674f5a74e7e7573e0dab4304ff64634b5aead144d5f7aa6839ef882a182a7ad4202fc42f3686d78bec03479cb538456b44a930de98af7f3220347e787 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28746442c64f7abba53e9fa005570f9c |
| SHA1 | 1982836981634f966e770fe2f4544c29b3ec7733 |
| SHA256 | 73df4196d5d12cc7c895aadc25a40390d997ae140d04b1ffd7ef99a438a6469e |
| SHA512 | 643396480abc243d22ab6d89d3182198a0502e0fb7f233df1309e2a1ed88d6bea5e473cd23b1e463b8853a165a5986a88e2c0f964ad5612ce4dc9c9572f1fee0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b5380e5aebc6bea1016c2ef223f7cbd |
| SHA1 | 1ea2c67aec815e89aa3a054703c54b1c391fe04e |
| SHA256 | 4a92cff8f950f6e5f38fc0f50738fad8098e599bc5690d7c59ff3ba36c70869d |
| SHA512 | 65502df97beb0587f8708344b7a4539cd6e50f3a84a10a45ecfcf41a6e62950a98ff0b5291bfeef6379d8240416d7b16d4b97e67b6e3ccef059cad020f4e0af3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c374a46c282554763c91786fa9c0ec1 |
| SHA1 | 276a551dc09095a494f6ca6a1990c7d243efcef8 |
| SHA256 | 6fd945c16deaa5adecc8ffbe1f7cec8b74872a6fc0d3848bdced714bf79b3de3 |
| SHA512 | 8e18ab0be7fca7ec752676b6969f06a714554888996915f2602602fa45f455199b62dfa9982b00b9fec5aaaf4c6de1b1999149d729c2e6ade192e39d5ec9d329 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 338afb5f401c0f6e72b63ca46709f147 |
| SHA1 | 3ce09eb3e3c041484107ac9708909f18786b1103 |
| SHA256 | 524a5f25045c52679789c7f30b8a339b552259490a8ea612efba602fdb0e19b7 |
| SHA512 | 7bb109aca2070179700f7abe3ec32385122edc97dd7ee44faa97475db795a553d11ad651cdd1ea9846e485da3118b901ca1adcba7769668fd88264867cf634b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f2033c40010cbc2875ef05c6329243f |
| SHA1 | 618baba906b3a4fa3bfa31d4bf523fcf465b681a |
| SHA256 | d5d30e858dcab5062fa540f4bc9f13af2f70e4a5244c6ef2b68a8b42f5497c7a |
| SHA512 | a903080f4cd89c55fe43379b428b2e909ec6e8b6f2577e940bf4eb7c7e4d04d25332ab79f81872787804c9983c935d10665df80ed9eae101cea61a9c9331b1b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f84372c43f56d4011a2d4799864fb9e2 |
| SHA1 | a02f86ac4ad9bfc5ff859b9e1493cb6634942288 |
| SHA256 | f07fe11984d26d1f2837fd3f1e6923df944d78794387cbd157c50ed260cfad42 |
| SHA512 | 3e8639e59292b62d3a6ddda0749bf3a00f4a46be654f38b1c7f710ec7b34c3966d68055141dfb2cfd6790bd7f806b1f116be625bbec002629c9d64da79837498 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 21ff7af7ee630ab770436eef7cb5df60 |
| SHA1 | 7da3331ac62f8360c5706c2549b7787f17b41406 |
| SHA256 | 54f4bbde63ed3dc11c4804b58b6e22dd32ca7af64fa732438ba9c942b669de3c |
| SHA512 | 6b74984aefd889bb55e158e62e8ea851a1d06c4eae751fbcff56639b317ba3968ed2b265b1e23926011657ae0cbffea96cde379c81683cf97dc730bdf846c2db |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240508-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\tbu03852\tbs_include_script_008091.js
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240611-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\Will.I.Am_Screensaver.scr" /S
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\tbu03852\static_pub.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6ed46f8,0x7ffea6ed4708,0x7ffea6ed4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,18060257766242030905,8436261826405819025,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_1104_ASFSYIZSEAIFDATV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 545c1d33befe7731e688bff4d4ed1385 |
| SHA1 | d95cc78a84c2dbc762f740b0f1d65d58ecac1dbb |
| SHA256 | 55dbadc38679f3636a90e5049e2277dd18e0ed43ebe311768bfd8b056caf208d |
| SHA512 | 0a0bc07a1219cdf9be05e0bf23d0dce009411a426b29bf3886eb3ed08eecaeb95d9dfaf1067682650d1d9cdc0dbb5675da436be34f766bdd359107341cfabe9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1edc46f94eed01a7bfa4a6752011a52d |
| SHA1 | c2def8b99a1dc265f4a7824b16cab9fe3b910f76 |
| SHA256 | bcc01940c300a80c41461dca04af6bf94513425e4996f99e4eed803adf841a6d |
| SHA512 | 35b250d85c18d8950c89f805cb686ac4cafc8d24f50ed299b63839fd16090ac122d80aa848b2628325c66623771430eb74bb4b8659a9133b3127f3d18ae68081 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-20 08:12
Reported
2024-06-20 08:15
Platform
win7-20240419-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\tbu03852\uninstall.exe"