4926c75e330b65f38f41386b42a402298672fa466e2a26f65d8420974c39fda0

Analysis

max time kernel
124s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/11/2022, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-remover-6-9-5-build-2979.exe
Size

13.9MB
MD5

d9b2800a8a86996172ec18f1cb48786a
SHA1

d2c558564f0f322c0647b36d82d1e98921e58587
SHA256

4926c75e330b65f38f41386b42a402298672fa466e2a26f65d8420974c39fda0
SHA512

391f18d5127327499cb537b4e6b92011624f836e48c0f35c1954a8897fbb828ed5482fbcf3f1aba3549e39cca5fd22a499876c4a81b8ee45621304fa0d3801df
SSDEEP

393216:q3Hft0T7yG9QKWsKPrTYyi2JwEivFQrzPaUwL:kl0PgJsekcivSrzPwL

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx\ContextMenuHandlers\Trojan Remover	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	trojan-remover-6-9-5-build-2979.tmp
1752	TaskInst.exe
112	trupd.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32\ = "C:\\PROGRA~2\\TROJAN~1\\TRSHLE~1.DLL"	regsvr32.exe

Loads dropped DLL 10 IoCs

pid	Process
1960	trojan-remover-6-9-5-build-2979.exe
1712	trojan-remover-6-9-5-build-2979.tmp
1712	trojan-remover-6-9-5-build-2979.tmp
1712	trojan-remover-6-9-5-build-2979.tmp
1712	trojan-remover-6-9-5-build-2979.tmp
984	regsvr32.exe
1988	regsvr32.exe
1780	regsvr32.exe
1712	trojan-remover-6-9-5-build-2979.tmp
1712	trojan-remover-6-9-5-build-2979.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Trojan Remover\is-PSSJS.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-IDTD9.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-48Q4L.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-C6IAL.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-19S3M.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\unins000.msg	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-D3C5F.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-58AGO.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-7VGPK.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\unins000.dat	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-8MTJQ.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-160C0.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-22MAK.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-1HMNO.tmp	trojan-remover-6-9-5-build-2979.tmp
File created	C:\Program Files (x86)\Trojan Remover\is-B8TUV.tmp	trojan-remover-6-9-5-build-2979.tmp
File opened for modification	C:\Program Files (x86)\Trojan Remover\unins000.dat	trojan-remover-6-9-5-build-2979.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\AccessPermission = 01000480440000005400000000000000140000000200300002000000000014000300000001010000000000050400000000001400030000000101000000000005120000000102000000000005200000002002000001020000000000052000000020020000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\LocalizedString = "@C:\\Program Files (x86)\\Trojan Remover\\TRElevationHelper32.dll,-65056"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\ShellEx\ContextMenuHandlers\Trojan Remover	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib\ = "{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TRElevationHelper.TRPrivilegedObject\Clsid\ = "{518932EE-5045-451E-BDE5-B864132BE471}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Trshlex64.TRShellEx\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\0\win32\ = "C:\\Program Files (x86)\\Trojan Remover\\TRElevationHelper.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\ = "TRPrivilegedObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TRElevationHelper.TRPrivilegedObject\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx\ContextMenuHandlers\Trojan Remover	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\Elevation\Enabled = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\ = "TRElevationHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\ = "IMyPrivilegedObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ShellEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TRElevationHelper.dll\AppID = "{518932EE-5045-451E-BDE5-B864132BE471}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Trojan Remover\\TRElevationHelper32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TRPrivilegesLib.TRElevationHelper\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\TypeLib\ = "{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TRElevationHelper.TRPrivilegedObject\ = "TRPrivilegedObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52B87208-9CCF-42C9-B88E-069281105805}\InprocServer32\ = "C:\\PROGRA~2\\TROJAN~1\\TRSHLE~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\ = "{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E5EE211E-46A8-4019-BF37-AD5C8FF3D39D}\TypeLib\ = "{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\ = "Trojan Remover Privileges Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Trojan Remover\ = "{52B87208-9CCF-42C9-B88E-069281105805}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\LocalizedString = "@C:\\Program Files (x86)\\Trojan Remover\\TRElevationHelper.dll,-65014"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\InprocServer32\ = "C:\\PROGRA~2\\TROJAN~1\\TRELEV~2.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\Trojan Remover	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Trojan Remover\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{518932EE-5045-451E-BDE5-B864132BE471}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\AppID = "{518932EE-5045-451E-BDE5-B864132BE471}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Trshlex64.TRShellEx\ = "Trojan Remover Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87A5C78-0783-4F35-B2BA-90F45E1E2C37}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{518932EE-5045-451E-BDE5-B864132BE471}\ = "TRPrivilegedObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{518932EE-5045-451E-BDE5-B864132BE471}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A5CDBAE-FB8C-4406-8CBE-54C7AEDAA2B5}\TypeLib\ = "{008F705E-B937-4E1F-8FF8-C4D68AA3A67B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C47CD61-C5D9-4A1B-8D3E-AD7D6435196E}\InprocServer32	regsvr32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1712	trojan-remover-6-9-5-build-2979.tmp
112	trupd.exe
112	trupd.exe
112	trupd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
112	trupd.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1960 wrote to memory of 1712	1960	trojan-remover-6-9-5-build-2979.exe	26
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 984	1712	trojan-remover-6-9-5-build-2979.tmp	27
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1988	1712	trojan-remover-6-9-5-build-2979.tmp	28
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1780	1712	trojan-remover-6-9-5-build-2979.tmp	29
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 1752	1712	trojan-remover-6-9-5-build-2979.tmp	30
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31
PID 1712 wrote to memory of 112	1712	trojan-remover-6-9-5-build-2979.tmp	31

C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2979.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2979.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\is-JUJBM.tmp\trojan-remover-6-9-5-build-2979.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JUJBM.tmp\trojan-remover-6-9-5-build-2979.tmp" /SL5="$A0022,13746013,499712,C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2979.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\Trshlex64.dll"
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:984
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1988
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\is-D7U7B.tmp\TaskInst.exe
    "C:\Users\Admin\AppData\Local\Temp\is-D7U7B.tmp\TaskInst.exe"
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Program Files (x86)\Trojan Remover\trupd.exe
    "C:\Program Files (x86)\Trojan Remover\trupd.exe" /dbinstall
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll

Filesize
1.0MB

MD5
4af801176ac79f0a2a32b2d71d6ef691

SHA1
e4ad5d68fbd01d31d13e3737879c5adfaa05518b

SHA256
f0cd8bcd09a72de3bd900776fb129416877df869f27e8b2a1bb86d04ca8856f1

SHA512
dffb0ad4ea97fdfd58642eeeec6c2138de8cf5f2562e72d4503fe8da40b020595aa3e3cd5c4d1522335b9d64e8b83871f8c54365dbc2b6d2ee50e11df78d42c4

Download Submit
C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll

Filesize
2.2MB

MD5
4214adca95cec26e3cf661678a6c3705

SHA1
57604b65ef8ca91927dcfe2b4cf8ca0b4e0f1286

SHA256
03c6998fc83a8b89deb233e571e0ae1a5c07905578304440a06b5a912cc20700

SHA512
c0e980dab170caa2cad8b04bb34d12a65378e4d925efe2a3d3b9eb8a66ae487c573c6d6ba2d6565005f90defcf93e93273b1e6650b049ad3f250af5d3a14e084

Download Submit
C:\Program Files (x86)\Trojan Remover\Trshlex64.dll

Filesize
3.4MB

MD5
bc168257a6d847002c942f725e6c4d45

SHA1
252e52be7982fd7cf69ed1ae0d7b9d5246b76cae

SHA256
8332bd218920b6bec2a043ca6409d672335c0269b2d437cd7c1b00456e6f1726

SHA512
3ebad8455a440eb5bb87503fea557e3e30f136a461199bf66aa4ad11307d4dd52914469c59f0c8627310221f80c6048beada8275358c4db5c89eb4de26e16732

Download Submit
C:\Program Files (x86)\Trojan Remover\trupd.exe

Filesize
6.1MB

MD5
e9ddd7e4c9bd012f8b1adc808ce03052

SHA1
5492401b426548c821e779b35359dd30b1c40b22

SHA256
9738b8019f67bdbe3731d7cebcd9c0ce5b6ac6add34ab04d827ecf36dadb5218

SHA512
e9b47ea65591e791b8375b2d3bb511aa4ed6b1b38f2a4f51578d02d80346b4f714640a8efc6d3ca233b9c2ba45eb051a487a1c02b1c33598c0a93712af157d0d

Download Submit
C:\ProgramData\Simply Super Software\Trojan Remover\Data\dlservers.dta

Filesize
522B

MD5
11da9dbdee7dd02901cddaed4841802b

SHA1
a53152510c5f81e423355deda4502abc29ea8af7

SHA256
11956755580ed92378df8fb11cccf980ec134943c6a2e08581dcbf6b770411f9

SHA512
137985e2dde65c70056ac618fcb617ead6d9ce75bfadb25310ca45c5c6670663b8ecd8218b7ce2beb8022c7847a48a607f5725df48e05b56282ecc5d2e8992aa

Download Submit
C:\ProgramData\Simply Super Software\Trojan Remover\Data\epack.dta

Filesize
160B

MD5
8dff7e81d2865623790c9229cfb8aceb

SHA1
68f657d56065b244ac6cbeffad1d5bb7bf85b963

SHA256
34a0be0d7f4afb9763d47df8417eed7f0364bc5c00ed8dc707f5af0fbdc35d02

SHA512
844e0a0603ea2a74ffc54dcbde180df4f969be07e2af54cf39d5b65324c5b85da8dc77433944bd668c4a3a5e7e8778752d026edf86b229d60285e0d3cd3b1af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D7U7B.tmp\TaskInst.exe

Filesize
2.3MB

MD5
14d684c576f1d953c470fb7deced7642

SHA1
0f3db6e772f98c1fbbbce0f6b970ddd472427ead

SHA256
3f34a84e2470ced0d4ae5576758bca24eef02d715fe2817e43e5ff819cabf241

SHA512
2dc4a2ba6dd76e80d258e9c0c4eac37039d6c3a12f85c67fb15f545c5151f99c52bd7ae6edf0eba302ab4e7f6c41d3f2e4709e80a5b68a8c1f953ff0a4a1694c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUJBM.tmp\trojan-remover-6-9-5-build-2979.tmp

Filesize
1.5MB

MD5
4aaacbe93ee7ad2d86fe3533068ade70

SHA1
01c3403b90d4c43fa07a13c89035a9a78c2b62c1

SHA256
1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

SHA512
ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUJBM.tmp\trojan-remover-6-9-5-build-2979.tmp

Filesize
1.5MB

MD5
4aaacbe93ee7ad2d86fe3533068ade70

SHA1
01c3403b90d4c43fa07a13c89035a9a78c2b62c1

SHA256
1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

SHA512
ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

Download Submit
\Program Files (x86)\Trojan Remover\Rmvtrjan.exe

Filesize
7.0MB

MD5
254a91010f57619cb14dffd6154b4fa7

SHA1
06d6c41bbc7ad76194917351798c98200136d2a2

SHA256
5b85bd998355d171f51ffc6566d9e74a7d860168ac8c5e290f82ac57914e449f

SHA512
ccea521413797ad95e0c23eedaa917257a4ae4162104d4bc38d6f4ef7187d58a883fed77a19b63cf3a8a49b1cebcaf0d09040be2a59130daa4a8a784df5db8e7

Download Submit
\Program Files (x86)\Trojan Remover\TRElevationHelper.dll

Filesize
1.0MB

MD5
4af801176ac79f0a2a32b2d71d6ef691

SHA1
e4ad5d68fbd01d31d13e3737879c5adfaa05518b

SHA256
f0cd8bcd09a72de3bd900776fb129416877df869f27e8b2a1bb86d04ca8856f1

SHA512
dffb0ad4ea97fdfd58642eeeec6c2138de8cf5f2562e72d4503fe8da40b020595aa3e3cd5c4d1522335b9d64e8b83871f8c54365dbc2b6d2ee50e11df78d42c4

Download Submit
\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll

Filesize
2.2MB

MD5
4214adca95cec26e3cf661678a6c3705

SHA1
57604b65ef8ca91927dcfe2b4cf8ca0b4e0f1286

SHA256
03c6998fc83a8b89deb233e571e0ae1a5c07905578304440a06b5a912cc20700

SHA512
c0e980dab170caa2cad8b04bb34d12a65378e4d925efe2a3d3b9eb8a66ae487c573c6d6ba2d6565005f90defcf93e93273b1e6650b049ad3f250af5d3a14e084

Download Submit
\Program Files (x86)\Trojan Remover\Trjscan.exe

Filesize
6.2MB

MD5
393c68f5dee82b0146b6c36176a378a2

SHA1
c86cff91796573aff5cf6d053f45c3bc28027cd4

SHA256
3211d38286150b2321e5bcf2fbeccc5a9c297c39294f9a4dc54370491f95a509

SHA512
8c00a67b576f0456b45f84da192dd880f39db2f0ca5b695de48641ef20133e51429091213641a02791b176fb84bd63369dd91b9522c3ea12970c088aa2334724

Download Submit
\Program Files (x86)\Trojan Remover\Trshlex64.dll

Filesize
3.4MB

MD5
bc168257a6d847002c942f725e6c4d45

SHA1
252e52be7982fd7cf69ed1ae0d7b9d5246b76cae

SHA256
8332bd218920b6bec2a043ca6409d672335c0269b2d437cd7c1b00456e6f1726

SHA512
3ebad8455a440eb5bb87503fea557e3e30f136a461199bf66aa4ad11307d4dd52914469c59f0c8627310221f80c6048beada8275358c4db5c89eb4de26e16732

Download Submit
\Program Files (x86)\Trojan Remover\trupd.exe

Filesize
6.1MB

MD5
e9ddd7e4c9bd012f8b1adc808ce03052

SHA1
5492401b426548c821e779b35359dd30b1c40b22

SHA256
9738b8019f67bdbe3731d7cebcd9c0ce5b6ac6add34ab04d827ecf36dadb5218

SHA512
e9b47ea65591e791b8375b2d3bb511aa4ed6b1b38f2a4f51578d02d80346b4f714640a8efc6d3ca233b9c2ba45eb051a487a1c02b1c33598c0a93712af157d0d

Download Submit
\Program Files (x86)\Trojan Remover\trupd.exe

Filesize
6.1MB

MD5
e9ddd7e4c9bd012f8b1adc808ce03052

SHA1
5492401b426548c821e779b35359dd30b1c40b22

SHA256
9738b8019f67bdbe3731d7cebcd9c0ce5b6ac6add34ab04d827ecf36dadb5218

SHA512
e9b47ea65591e791b8375b2d3bb511aa4ed6b1b38f2a4f51578d02d80346b4f714640a8efc6d3ca233b9c2ba45eb051a487a1c02b1c33598c0a93712af157d0d

Download Submit
\Program Files (x86)\Trojan Remover\unins000.exe

Filesize
1.5MB

MD5
4aaacbe93ee7ad2d86fe3533068ade70

SHA1
01c3403b90d4c43fa07a13c89035a9a78c2b62c1

SHA256
1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

SHA512
ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

Download Submit
\Users\Admin\AppData\Local\Temp\is-D7U7B.tmp\TaskInst.exe

Filesize
2.3MB

MD5
14d684c576f1d953c470fb7deced7642

SHA1
0f3db6e772f98c1fbbbce0f6b970ddd472427ead

SHA256
3f34a84e2470ced0d4ae5576758bca24eef02d715fe2817e43e5ff819cabf241

SHA512
2dc4a2ba6dd76e80d258e9c0c4eac37039d6c3a12f85c67fb15f545c5151f99c52bd7ae6edf0eba302ab4e7f6c41d3f2e4709e80a5b68a8c1f953ff0a4a1694c

Download Submit
\Users\Admin\AppData\Local\Temp\is-JUJBM.tmp\trojan-remover-6-9-5-build-2979.tmp

Filesize
1.5MB

MD5
4aaacbe93ee7ad2d86fe3533068ade70

SHA1
01c3403b90d4c43fa07a13c89035a9a78c2b62c1

SHA256
1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

SHA512
ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

Download Submit
memory/112-95-0x0000000003620000-0x000000000392A000-memory.dmp

Filesize
3.0MB

Download
memory/984-73-0x0000000001E70000-0x00000000021EF000-memory.dmp

Filesize
3.5MB

Download
memory/984-70-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1712-96-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/1712-62-0x0000000074801000-0x0000000074803000-memory.dmp

Filesize
8KB

Download
memory/1712-67-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/1780-83-0x0000000001DA0000-0x0000000001FFE000-memory.dmp

Filesize
2.4MB

Download
memory/1960-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1960-92-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1960-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1960-55-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1988-78-0x0000000001E30000-0x0000000001F3A000-memory.dmp

Filesize
1.0MB

Download