16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c

Analysis

max time kernel
193s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 13:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
Size

344KB
MD5

0db4ed67bcc34a936d96ced6aa38147d
SHA1

87ac6f101b0873d025c568c1593634e81a2db55d
SHA256

16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c
SHA512

b93aa8db60e5dd5416ff645b9d81487c04d1515220b2806af8ad6ffd9609b656c09a91ee114442e883c2ce87446d0f282272270fb337c8eb7ac692131cd30c30
SSDEEP

6144:9s/g2VN8o0hClXKqbF12LPSzGhOyJZYc67i2CpSIw3SZl26v:9goo0hChbF1GaGhO8167i2tIYS33

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
4820	341d.exe
3268	341d.exe
444	341d.exe
1436	mtv.exe

Loads dropped DLL 20 IoCs

pid	Process
4880	regsvr32.exe
444	341d.exe
4904	rundll32.exe
3776	rundll32.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe
444	341d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63035881-A749-4139-9CAB-82DCFFA7F106}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63035881-A749-4139-9CAB-82DCFFA7F106}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	\??\PhysicalDrive0	341d.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File created	C:\Windows\SysWOW64\Ì“-21-39-7232	rundll32.exe
File created	C:\Windows\SysWOW64\042	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\a8f.flv	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\ba8d.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\ba8d.flv	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File created	C:\Windows\Tasks\ms.job	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\a34b.flv	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\8f6.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\f6f.bmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\6f1u.bmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\a8fd.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\4bad.flv	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\ba8u.bmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\bf14.bmp	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
File opened for modification	C:\Windows\14ba.exe	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib\ = "{3B979AB3-29C8-4DC3-829A-E066DDFEA096}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{63035881-A749-4139-9CAB-82DCFFA7F106}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{63035881-A749-4139-9CAB-82DCFFA7F106}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib\ = "{3B979AB3-29C8-4DC3-829A-E066DDFEA096}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\TypeLib\ = "{3B979AB3-29C8-4DC3-829A-E066DDFEA096}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{939FF0D3-FE01-4326-B7B6-0ADBE9FE6FD9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63035881-A749-4139-9CAB-82DCFFA7F106}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B979AB3-29C8-4DC3-829A-E066DDFEA096}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
444	341d.exe
444	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	mtv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4136	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	79
PID 5008 wrote to memory of 4136	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	79
PID 5008 wrote to memory of 4136	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	79
PID 5008 wrote to memory of 3060	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	80
PID 5008 wrote to memory of 3060	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	80
PID 5008 wrote to memory of 3060	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	80
PID 5008 wrote to memory of 892	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	81
PID 5008 wrote to memory of 892	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	81
PID 5008 wrote to memory of 892	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	81
PID 5008 wrote to memory of 1940	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	82
PID 5008 wrote to memory of 1940	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	82
PID 5008 wrote to memory of 1940	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	82
PID 5008 wrote to memory of 4880	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	83
PID 5008 wrote to memory of 4880	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	83
PID 5008 wrote to memory of 4880	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	83
PID 5008 wrote to memory of 4820	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	84
PID 5008 wrote to memory of 4820	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	84
PID 5008 wrote to memory of 4820	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	84
PID 5008 wrote to memory of 3268	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	86
PID 5008 wrote to memory of 3268	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	86
PID 5008 wrote to memory of 3268	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	86
PID 5008 wrote to memory of 1436	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	89
PID 5008 wrote to memory of 1436	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	89
PID 5008 wrote to memory of 1436	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	89
PID 444 wrote to memory of 4904	444	341d.exe	90
PID 444 wrote to memory of 4904	444	341d.exe	90
PID 444 wrote to memory of 4904	444	341d.exe	90
PID 5008 wrote to memory of 3776	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	91
PID 5008 wrote to memory of 3776	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	91
PID 5008 wrote to memory of 3776	5008	16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe	91

C:\Users\Admin\AppData\Local\Temp\16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe
"C:\Users\Admin\AppData\Local\Temp\16632a2fd7a1bf63ed300a174583805ec4ff12fc456c6a04c29cf2598d26b92c.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
  2⤵
  PID:4136
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
  2⤵
  PID:3060
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
  2⤵
  PID:892
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
  2⤵
  PID:1940
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4880
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -i
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\SysWOW64\341d.exe
  C:\Windows\system32/341d.exe -s
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
  2⤵
  - Loads dropped DLL
  PID:3776

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
56KB

MD5
7b9f259cb7c97dbe4e01e392779624bc

SHA1
b3532baefe1f41704439634593d7412906a56603

SHA256
d0445ce44eb29f1734697c1e7f4019da2cf39dd9b742698ef5d280adb4fcc5c6

SHA512
532570f955a117e8c68da275575ef32cd243636b420bf7d67b2ff9859bfcf534dc23d79f355244c14f5e5f2f58d4aa5ea10d8942e26435408bbb2c36520e1e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe

Filesize
56KB

MD5
7b9f259cb7c97dbe4e01e392779624bc

SHA1
b3532baefe1f41704439634593d7412906a56603

SHA256
d0445ce44eb29f1734697c1e7f4019da2cf39dd9b742698ef5d280adb4fcc5c6

SHA512
532570f955a117e8c68da275575ef32cd243636b420bf7d67b2ff9859bfcf534dc23d79f355244c14f5e5f2f58d4aa5ea10d8942e26435408bbb2c36520e1e38

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
156KB

MD5
3f84011afc912a4a18ddf1fd981f1734

SHA1
d29ee48dd1c0c7c2ec14e174b38670960914d294

SHA256
ec12dad62e12acd4790bedb98d6ca6d10729966cd94e7485d1f5879328886091

SHA512
c7469e17fe8d67be7f85a46624324f948e82dcba8dc6c3b42a0d32f23b5d4d8ce8f25bab62f073f981d03ceb94cb54a1f6464b32f905afe1ccb95879b592d8d2

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
156KB

MD5
3f84011afc912a4a18ddf1fd981f1734

SHA1
d29ee48dd1c0c7c2ec14e174b38670960914d294

SHA256
ec12dad62e12acd4790bedb98d6ca6d10729966cd94e7485d1f5879328886091

SHA512
c7469e17fe8d67be7f85a46624324f948e82dcba8dc6c3b42a0d32f23b5d4d8ce8f25bab62f073f981d03ceb94cb54a1f6464b32f905afe1ccb95879b592d8d2

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
156KB

MD5
3f84011afc912a4a18ddf1fd981f1734

SHA1
d29ee48dd1c0c7c2ec14e174b38670960914d294

SHA256
ec12dad62e12acd4790bedb98d6ca6d10729966cd94e7485d1f5879328886091

SHA512
c7469e17fe8d67be7f85a46624324f948e82dcba8dc6c3b42a0d32f23b5d4d8ce8f25bab62f073f981d03ceb94cb54a1f6464b32f905afe1ccb95879b592d8d2

Download Submit
C:\Windows\SysWOW64\341d.exe

Filesize
156KB

MD5
3f84011afc912a4a18ddf1fd981f1734

SHA1
d29ee48dd1c0c7c2ec14e174b38670960914d294

SHA256
ec12dad62e12acd4790bedb98d6ca6d10729966cd94e7485d1f5879328886091

SHA512
c7469e17fe8d67be7f85a46624324f948e82dcba8dc6c3b42a0d32f23b5d4d8ce8f25bab62f073f981d03ceb94cb54a1f6464b32f905afe1ccb95879b592d8d2

Download Submit
C:\Windows\SysWOW64\341e.dll

Filesize
206KB

MD5
101b332e8a005199002a22a097df07b0

SHA1
bc84b3072d23776f5cda3da2787e8e64121f12a2

SHA256
ff41de101ef80a1b6fd1c241df80af4a570e4bebbb6c0731cf000c1b6832c485

SHA512
6876f60f58c680b2282247d1b82e8a358803317ecc157f334f6c4e5f2bf7befb3cfce1149df0acf7a3c3c6d8d06bfa68fa6b8e63c15384c33ef5858e103731e4

Download Submit
C:\Windows\SysWOW64\341e.dll

Filesize
206KB

MD5
101b332e8a005199002a22a097df07b0

SHA1
bc84b3072d23776f5cda3da2787e8e64121f12a2

SHA256
ff41de101ef80a1b6fd1c241df80af4a570e4bebbb6c0731cf000c1b6832c485

SHA512
6876f60f58c680b2282247d1b82e8a358803317ecc157f334f6c4e5f2bf7befb3cfce1149df0acf7a3c3c6d8d06bfa68fa6b8e63c15384c33ef5858e103731e4

Download Submit
C:\Windows\SysWOW64\341e.dll

Filesize
206KB

MD5
101b332e8a005199002a22a097df07b0

SHA1
bc84b3072d23776f5cda3da2787e8e64121f12a2

SHA256
ff41de101ef80a1b6fd1c241df80af4a570e4bebbb6c0731cf000c1b6832c485

SHA512
6876f60f58c680b2282247d1b82e8a358803317ecc157f334f6c4e5f2bf7befb3cfce1149df0acf7a3c3c6d8d06bfa68fa6b8e63c15384c33ef5858e103731e4

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
C:\Windows\SysWOW64\b34o.dll

Filesize
127KB

MD5
813fed5c5827bfbc721dcfe2c521d870

SHA1
eed83f622e37ffd6a47ea540fa9b75c9ea99ebb4

SHA256
5059328ffd523af198b84a0a12c7594c59ed585550267aec1359deade2e0ee17

SHA512
7e77823b29e3ded3825430d56dc1854b540b04f7c961ec4751cc856aeb2619944c8d0b2d5051a447cfcd3758634e661d7f4a0421c2ee7a043e43675a1a5d4d4d

Download Submit
memory/444-183-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-191-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-162-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-194-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-164-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-160-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-166-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-192-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-168-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-180-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-170-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-190-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-172-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-188-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-174-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-186-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-176-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-154-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-178-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/444-182-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4880-140-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4904-184-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/4904-155-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/5008-157-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5008-132-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download