9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 01:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe
Size

1.0MB
MD5

0d800148c23eef7fd88627400d5fe349
SHA1

d0bd6c7ef36bcfa702d961093c045adb6d860e87
SHA256

9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912
SHA512

73f0501cbc4f025fde81447a2aab99144ff96a219184c927bb2d276b73a3de369e9b94bbb0fd1513fe6a07ceafc5088e0b6c58633ec79201f922ce24a92f5857
SSDEEP

24576:DaolocCGTF4vgCFJVjJwdiuhbBwhhbHd4NKEybcRtJaYYO:uoacCClCRJwQybBwzjdQZybYtYXO

Score

10^/10

adware aspackv2 bootkit discovery evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\103188.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\103188.exe:*:Enabled:DM"	103188.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica	103188.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	103188.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	103188.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	103188.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	103188.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022f84-156.dat	aspack_v212_v242
behavioral2/files/0x0006000000022f84-157.dat	aspack_v212_v242

Blocklisted process makes network request 35 IoCs

flow	pid	Process
46	4336	rundll32.exe
52	4336	rundll32.exe
53	4336	rundll32.exe
54	4336	rundll32.exe
55	4336	rundll32.exe
58	4336	rundll32.exe
59	4336	rundll32.exe
60	4336	rundll32.exe
61	4336	rundll32.exe
62	4336	rundll32.exe
63	4336	rundll32.exe
64	4336	rundll32.exe
65	4336	rundll32.exe
66	4336	rundll32.exe
67	4336	rundll32.exe
68	4336	rundll32.exe
69	4336	rundll32.exe
70	4336	rundll32.exe
73	4336	rundll32.exe
74	4336	rundll32.exe
75	4336	rundll32.exe
76	4336	rundll32.exe
80	4336	rundll32.exe
81	4336	rundll32.exe
82	4336	rundll32.exe
85	4336	rundll32.exe
86	4336	rundll32.exe
87	4336	rundll32.exe
88	4336	rundll32.exe
90	4336	rundll32.exe
91	4336	rundll32.exe
92	4336	rundll32.exe
96	4336	rundll32.exe
97	4336	rundll32.exe
98	4336	rundll32.exe

Executes dropped EXE 10 IoCs

pid	Process
3376	103188.exe
4952	lala3.exe
1508	regsvc.exe
3800	lala3.exe
208	setup.exe
2168	bind_40024.exe
4300	198998.exe
1484	5084.exe
1220	110373.exe
2444	Mrup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022f71-134.dat	upx
behavioral2/files/0x0009000000022f71-135.dat	upx
behavioral2/memory/3376-136-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/3376-137-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	198998.exe

Loads dropped DLL 14 IoCs

pid	Process
1508	regsvc.exe
208	setup.exe
208	setup.exe
208	setup.exe
2168	bind_40024.exe
2168	bind_40024.exe
2168	bind_40024.exe
2168	bind_40024.exe
1484	5084.exe
1220	110373.exe
4336	rundll32.exe
1068	regsvr32.exe
4896	rundll32.exe
3028	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop = "C:\\Windows\\system32\\rundll32.exe \"C:\\Program Files (x86)\\DeskAdTop\\Run.dll\" ,Rundll"	110373.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B770A0-0E87-4278-B748-2460D64A8386}	5084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08A312BB-5409-49FC-9347-54BB7D069AC6}	110373.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	110373.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iedetect.dll	regsvc.exe
File opened for modification	C:\Windows\SysWOW64\iedetect.dll	regsvc.exe
File created	C:\Windows\SysWOW64\distributer.txt	198998.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\sinfo.ini	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Mrup.exe	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx.tmp	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\setup.tmp	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe.tmp	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat.tmp	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe.tmp	110373.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\allverx.dat	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\_uninstall	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx.tmp	110373.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	110373.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\DM_Install_Program.job	103188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International	regsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\nTimes = "66"	regsvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\TypeLib	110373.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\TypeLib	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D3E83EA-EBB1-4C65-BF57-66B99DC334A1}\VERSION\ = "1.0"	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16B770A0-0E87-4278-B748-2460D64A8386}\InprocServer32\ThreadingModel = "Apartment"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C627D83F-3357-4250-B1A5-AA13E249983D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\iedetect.dll"	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D3E83EA-EBB1-4C65-BF57-66B99DC334A1}\TypeLib\ = "{C627D83F-3357-4250-B1A5-AA13E249983D}"	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MonitorIE.MonitorURL.1\ = "MonitorURL Class"	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CLSID	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CLSID\ = "{16B770A0-0E87-4278-B748-2460D64A8386}"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C627D83F-3357-4250-B1A5-AA13E249983D}\1.0\0	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\ = "MyIEHelper Class"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MonitorIE.MonitorURL\ = "MonitorURL Class"	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\TypeLib	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\HELPDIR	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib\ = "{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MonitorIE.MonitorURL\CurVer\ = "MonitorIE.MonitorURL.1"	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\ProxyStubClsid32	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\TypeLib\Version = "1.0"	110373.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C627D83F-3357-4250-B1A5-AA13E249983D}\1.0\0\win32	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\TypeLib\ = "{C627D83F-3357-4250-B1A5-AA13E249983D}"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\FLAGS	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID\ = "MonitorIE.MonitorURL.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16B770A0-0E87-4278-B748-2460D64A8386}\InprocServer32\ = "C:\\ProgramData\\Application Data\\Microsoft\\IEHelper\\IEHelper_5084.dll"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\ = "IEHelper 1.0 Type Library"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "MonitorIE.MonitorURL"	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D3E83EA-EBB1-4C65-BF57-66B99DC334A1}\InprocServer32\ThreadingModel = "Apartment"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16B770A0-0E87-4278-B748-2460D64A8386}\ProgID	5084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D3E83EA-EBB1-4C65-BF57-66B99DC334A1}\VERSION	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DeskAdTop\\"	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "MonitorIE.MonitorURL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}	5084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\ = "IMonitorURL"	110373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C1CE329-606F-4C0F-8A85-9C2818878AF3}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	110373.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper.1\ = "MyIEHelper Class"	5084.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CurVer\ = "IEHelper.MyIEHelper.1"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MonitorIE.MonitorURL\CurVer\ = "MonitorIE.MonitorURL.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\ProxyStubClsid32	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\TypeLib\Version = "1.0"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D3E83EA-EBB1-4C65-BF57-66B99DC334A1}	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C627D83F-3357-4250-B1A5-AA13E249983D}\1.0\FLAGS\ = "0"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\ProxyStubClsid32	regsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{646F5C60-65CC-4B46-B994-CD4BE8BC4CF8}\TypeLib\Version = "1.0"	regsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\0\win32	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5084.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ = "C:\\PROGRA~2\\DESKAD~1\\deskipn.dll"	110373.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C627D83F-3357-4250-B1A5-AA13E249983D}	regsvc.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4952	lala3.exe
1508	regsvc.exe
4300	198998.exe
4300	198998.exe
1220	110373.exe
2444	Mrup.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe
4336	rundll32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3376	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	79
PID 1532 wrote to memory of 3376	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	79
PID 1532 wrote to memory of 3376	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	79
PID 1532 wrote to memory of 4952	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	80
PID 1532 wrote to memory of 4952	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	80
PID 1532 wrote to memory of 4952	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	80
PID 4952 wrote to memory of 1508	4952	lala3.exe	83
PID 4952 wrote to memory of 1508	4952	lala3.exe	83
PID 4952 wrote to memory of 1508	4952	lala3.exe	83
PID 1508 wrote to memory of 4736	1508	regsvc.exe	84
PID 1508 wrote to memory of 4736	1508	regsvc.exe	84
PID 1508 wrote to memory of 4736	1508	regsvc.exe	84
PID 4952 wrote to memory of 3800	4952	lala3.exe	86
PID 4952 wrote to memory of 3800	4952	lala3.exe	86
PID 4952 wrote to memory of 3800	4952	lala3.exe	86
PID 3800 wrote to memory of 208	3800	lala3.exe	87
PID 3800 wrote to memory of 208	3800	lala3.exe	87
PID 3800 wrote to memory of 208	3800	lala3.exe	87
PID 1532 wrote to memory of 2168	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	88
PID 1532 wrote to memory of 2168	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	88
PID 1532 wrote to memory of 2168	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	88
PID 1532 wrote to memory of 4300	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	89
PID 1532 wrote to memory of 4300	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	89
PID 1532 wrote to memory of 4300	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	89
PID 1532 wrote to memory of 1484	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	90
PID 1532 wrote to memory of 1484	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	90
PID 1532 wrote to memory of 1484	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	90
PID 1532 wrote to memory of 1220	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	91
PID 1532 wrote to memory of 1220	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	91
PID 1532 wrote to memory of 1220	1532	9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe	91
PID 1220 wrote to memory of 4336	1220	110373.exe	92
PID 1220 wrote to memory of 4336	1220	110373.exe	92
PID 1220 wrote to memory of 4336	1220	110373.exe	92
PID 4336 wrote to memory of 2444	4336	rundll32.exe	93
PID 4336 wrote to memory of 2444	4336	rundll32.exe	93
PID 4336 wrote to memory of 2444	4336	rundll32.exe	93
PID 1220 wrote to memory of 1068	1220	110373.exe	94
PID 1220 wrote to memory of 1068	1220	110373.exe	94
PID 1220 wrote to memory of 1068	1220	110373.exe	94
PID 1068 wrote to memory of 4896	1068	regsvr32.exe	95
PID 1068 wrote to memory of 4896	1068	regsvr32.exe	95
PID 1068 wrote to memory of 4896	1068	regsvr32.exe	95
PID 1220 wrote to memory of 3028	1220	110373.exe	96
PID 1220 wrote to memory of 3028	1220	110373.exe	96
PID 1220 wrote to memory of 3028	1220	110373.exe	96

C:\Users\Admin\AppData\Local\Temp\9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe
"C:\Users\Admin\AppData\Local\Temp\9204e8cc119dd82239dc590488ecc9ca2332dda9cbaec473d923b7ed57c2a912.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\103188.exe
  C:\Users\Admin\AppData\Local\Temp\103188.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\lala3.exe
  C:\Users\Admin\AppData\Local\Temp\lala3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\temp\regsvc.exe
    C:\Windows\temp\regsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\temp\_ntee.bat
      4⤵
      PID:4736
- - C:\Windows\temp\lala3.exe
    C:\Windows\temp\lala3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\3C1E\setup.exe
      C:\Users\Admin\AppData\Local\Temp\3C1E\setup.exe 00010802
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:208
- C:\Users\Admin\AppData\Local\Temp\bind_40024.exe
  C:\Users\Admin\AppData\Local\Temp\bind_40024.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\198998.exe
  C:\Users\Admin\AppData\Local\Temp\198998.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\5084.exe
  C:\Users\Admin\AppData\Local\Temp\5084.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\110373.exe
  C:\Users\Admin\AppData\Local\Temp\110373.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DeskAdTop\Run.dll" ,Rundll
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Program Files (x86)\DeskAdTop\Mrup.exe
      "C:\Program Files (x86)\DeskAdTop\Mrup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2444
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Program Files (x86)\DeskAdTop\deskipn.dll" -s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DeskAdTop\Run.dll" ,Rundll
      4⤵
      Loads dropped DLL
      PID:4896
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DeskAdTop\Run.dll" ,Rundll
    3⤵
    - Loads dropped DLL
    PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DeskAdTop\Mrup.exe

Filesize
24KB

MD5
087d40526d70ece5325b0c0b988a87d9

SHA1
d9d3cd784cdcfb9d2a3b9e2a6845888c1133cd2c

SHA256
9be7e086065c86ca181460fb77afa279e0d7f305c81caa8549fb053552b634a9

SHA512
674b18d8bbcab83beba9453c588e60cd9eeda0028c30a621281af6c9ece1b6c1504b181fdc45804956cd5232fef21d38579773dffcb1b09c6ae93367df63ab4d

Download Submit
C:\Program Files (x86)\DeskAdTop\Mrup.exe

Filesize
24KB

MD5
087d40526d70ece5325b0c0b988a87d9

SHA1
d9d3cd784cdcfb9d2a3b9e2a6845888c1133cd2c

SHA256
9be7e086065c86ca181460fb77afa279e0d7f305c81caa8549fb053552b634a9

SHA512
674b18d8bbcab83beba9453c588e60cd9eeda0028c30a621281af6c9ece1b6c1504b181fdc45804956cd5232fef21d38579773dffcb1b09c6ae93367df63ab4d

Download Submit
C:\Program Files (x86)\DeskAdTop\Run.dll

Filesize
88KB

MD5
6b79d1ab40bb095dacf431581d10d37c

SHA1
29510cd11450429d561e8036abe9c18becd9ba5c

SHA256
9b905acebf76fa0a9e73d4042a004e1e722405790a7c47c81558ea57df682334

SHA512
651426b39c9ab3bb5e648cb7ff13851e87eb659b9141c75c1d21e3b96bf234d2ffb5e05aa1c4aabc35fbdff0053a6b1638a4c69a3e8d44d9ef6d1c72f89c743c

Download Submit
C:\Program Files (x86)\DeskAdTop\Run.dll

Filesize
88KB

MD5
6b79d1ab40bb095dacf431581d10d37c

SHA1
29510cd11450429d561e8036abe9c18becd9ba5c

SHA256
9b905acebf76fa0a9e73d4042a004e1e722405790a7c47c81558ea57df682334

SHA512
651426b39c9ab3bb5e648cb7ff13851e87eb659b9141c75c1d21e3b96bf234d2ffb5e05aa1c4aabc35fbdff0053a6b1638a4c69a3e8d44d9ef6d1c72f89c743c

Download Submit
C:\Program Files (x86)\DeskAdTop\Run.dll

Filesize
88KB

MD5
6b79d1ab40bb095dacf431581d10d37c

SHA1
29510cd11450429d561e8036abe9c18becd9ba5c

SHA256
9b905acebf76fa0a9e73d4042a004e1e722405790a7c47c81558ea57df682334

SHA512
651426b39c9ab3bb5e648cb7ff13851e87eb659b9141c75c1d21e3b96bf234d2ffb5e05aa1c4aabc35fbdff0053a6b1638a4c69a3e8d44d9ef6d1c72f89c743c

Download Submit
C:\Program Files (x86)\DeskAdTop\Run.dll

Filesize
88KB

MD5
6b79d1ab40bb095dacf431581d10d37c

SHA1
29510cd11450429d561e8036abe9c18becd9ba5c

SHA256
9b905acebf76fa0a9e73d4042a004e1e722405790a7c47c81558ea57df682334

SHA512
651426b39c9ab3bb5e648cb7ff13851e87eb659b9141c75c1d21e3b96bf234d2ffb5e05aa1c4aabc35fbdff0053a6b1638a4c69a3e8d44d9ef6d1c72f89c743c

Download Submit
C:\Program Files (x86)\DeskAdTop\deskipn.dll

Filesize
56KB

MD5
8822a2f089812a9333a53d68364ef692

SHA1
bd216f9732a519037d75fd9ddbed3f33e1a3fe0b

SHA256
cac5d28bba3059044855c6bd2f97e37afc5b17ff798c05a0169744c6f2b0055c

SHA512
11528355b168094e0c096fcf9e9e3b1fa0d249d4d4f3c101fe7cc748107aa67a822eae056f7e08ba992bf14e0299da1b520018a47363e56b5c0ac31412c7ed25

Download Submit
C:\Program Files (x86)\DeskAdTop\deskipn.dll

Filesize
56KB

MD5
8822a2f089812a9333a53d68364ef692

SHA1
bd216f9732a519037d75fd9ddbed3f33e1a3fe0b

SHA256
cac5d28bba3059044855c6bd2f97e37afc5b17ff798c05a0169744c6f2b0055c

SHA512
11528355b168094e0c096fcf9e9e3b1fa0d249d4d4f3c101fe7cc748107aa67a822eae056f7e08ba992bf14e0299da1b520018a47363e56b5c0ac31412c7ed25

Download Submit
C:\Program Files (x86)\DeskAdTop\deskipn.dll

Filesize
56KB

MD5
8822a2f089812a9333a53d68364ef692

SHA1
bd216f9732a519037d75fd9ddbed3f33e1a3fe0b

SHA256
cac5d28bba3059044855c6bd2f97e37afc5b17ff798c05a0169744c6f2b0055c

SHA512
11528355b168094e0c096fcf9e9e3b1fa0d249d4d4f3c101fe7cc748107aa67a822eae056f7e08ba992bf14e0299da1b520018a47363e56b5c0ac31412c7ed25

Download Submit
C:\Program Files (x86)\DeskAdTop\sinfo.ini

Filesize
77B

MD5
3f8f55303542f26e8876f3bc7fd55c06

SHA1
27779bbfc3b63c6735f687b4043776d0178c4143

SHA256
54b5af9e4ee1d8ac76feed8ae2282736b1d195e1b8e0e2db24c767642ac31fd0

SHA512
e7fe8fdc56f4ee3a9c7db365a3d6af8d0431084379f545971830eb53c1bf24448c9601d9be94884c9493267f4499c82920ae6bea765a37ebb8dde54ba20efe01

Download Submit
C:\ProgramData\Microsoft\IEHelper\IEHelper_5084.dll

Filesize
120KB

MD5
db1e5d703141847ae5dbd0861acfab2e

SHA1
4e6c1f3916354afb62a5f28ec024a45a1ff4a981

SHA256
62c79b3dce57fe234f081597757a95b09529ae224e3c7b8a35ab31faca257906

SHA512
527044f26f52684fe5035ce9d21f7328bc4407e511fbb6fa6df75df9232c0d64f67fd7767912531877ff29a4e7de89ecc86d2ce4de2382263dc27b17cee6a24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\103188.exe

Filesize
60KB

MD5
6cb5dfb3b1b0665f37dce319ed40bec8

SHA1
41940f954015c1ba38e82b3f201f2f685ec81640

SHA256
ba091778688a922dceedeeda35461ced9c7ec527096064695fe0ebc253551d85

SHA512
240a6c0c189b93335f87d70bcaeeb524e3ed74ba01ebee1919de178981433f11e11b0a843edf611787215efa497c7d5a30a41f3c8ab8957cef76a021805f7609

Download Submit
C:\Users\Admin\AppData\Local\Temp\103188.exe

Filesize
60KB

MD5
6cb5dfb3b1b0665f37dce319ed40bec8

SHA1
41940f954015c1ba38e82b3f201f2f685ec81640

SHA256
ba091778688a922dceedeeda35461ced9c7ec527096064695fe0ebc253551d85

SHA512
240a6c0c189b93335f87d70bcaeeb524e3ed74ba01ebee1919de178981433f11e11b0a843edf611787215efa497c7d5a30a41f3c8ab8957cef76a021805f7609

Download Submit
C:\Users\Admin\AppData\Local\Temp\110373.exe

Filesize
116KB

MD5
4d4964fc5f7a228e94917f1e5dcaedb7

SHA1
b7c397fb17cce3e2177bb84e3a8cb09550f4ec0d

SHA256
34b3af58ec8a4a49fc35daf3c67e82c41bff12641ed3f31ba629d747690a04b4

SHA512
16caab5a76b8a5326d8916e6b94a19fa75479bd52fc3f63775affb4dfa00b3f6a4317c467804ca68ba736fc97a5266158802cc94bf41b3844accf1d6180f4fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\110373.exe

Filesize
116KB

MD5
4d4964fc5f7a228e94917f1e5dcaedb7

SHA1
b7c397fb17cce3e2177bb84e3a8cb09550f4ec0d

SHA256
34b3af58ec8a4a49fc35daf3c67e82c41bff12641ed3f31ba629d747690a04b4

SHA512
16caab5a76b8a5326d8916e6b94a19fa75479bd52fc3f63775affb4dfa00b3f6a4317c467804ca68ba736fc97a5266158802cc94bf41b3844accf1d6180f4fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\198998.exe

Filesize
36KB

MD5
7d74af1a369d0dcb87e300548c6ddac8

SHA1
e37b385e207c7ed06e1b4c00abf14c39f0cb5fa5

SHA256
1d918189c08bc4cea1ff1833f178d41542d2d29739011b39af797d0fe851f75c

SHA512
c2f05b79174500154c6febf2c53c55f5cf32466d6c56f744d41e3a9c8702c93f0e2092c07e63efe197f8c80dc4e738800f32601a815fd314ac40f8d29642df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\198998.exe

Filesize
36KB

MD5
7d74af1a369d0dcb87e300548c6ddac8

SHA1
e37b385e207c7ed06e1b4c00abf14c39f0cb5fa5

SHA256
1d918189c08bc4cea1ff1833f178d41542d2d29739011b39af797d0fe851f75c

SHA512
c2f05b79174500154c6febf2c53c55f5cf32466d6c56f744d41e3a9c8702c93f0e2092c07e63efe197f8c80dc4e738800f32601a815fd314ac40f8d29642df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\cdnins.dll

Filesize
84KB

MD5
dc55f4457dcc681a15a894a4266203ac

SHA1
978b584572c6ac465d295c3f9cc5aeb8f8711d45

SHA256
773b59b6d4751910d8a4b68415a5724810fd6d0e26bb6093536e65745f1227db

SHA512
083c93567f9a5e6a75df11d576e2ca42f903b5b9537e79dc297b55e22ec81515d5e9d0f10c992f3b0b314fb942dbfd9ac542042bd840e07ae0cc472f8afa3893

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\cdnins.dll

Filesize
84KB

MD5
dc55f4457dcc681a15a894a4266203ac

SHA1
978b584572c6ac465d295c3f9cc5aeb8f8711d45

SHA256
773b59b6d4751910d8a4b68415a5724810fd6d0e26bb6093536e65745f1227db

SHA512
083c93567f9a5e6a75df11d576e2ca42f903b5b9537e79dc297b55e22ec81515d5e9d0f10c992f3b0b314fb942dbfd9ac542042bd840e07ae0cc472f8afa3893

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\cdnprh.dll

Filesize
48KB

MD5
04b40aa95c1bfa3bf9de763c352973d5

SHA1
8dd28cda924d1c67442b19354630f4df5e6d42be

SHA256
64f383e860a18d9c15cd125e09d4e61abc1b440cc44b638d8836b4e39246e86c

SHA512
5232d3490e9c21a0ee3aaf48f1e9a09e15f6b0faade88b66784dee1647fef42e179426fb2e7e75417d81351d4163174b96391b51a21f922cc392b03422475da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\cdnprh.dll

Filesize
48KB

MD5
04b40aa95c1bfa3bf9de763c352973d5

SHA1
8dd28cda924d1c67442b19354630f4df5e6d42be

SHA256
64f383e860a18d9c15cd125e09d4e61abc1b440cc44b638d8836b4e39246e86c

SHA512
5232d3490e9c21a0ee3aaf48f1e9a09e15f6b0faade88b66784dee1647fef42e179426fb2e7e75417d81351d4163174b96391b51a21f922cc392b03422475da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\cdnprh.dll

Filesize
48KB

MD5
04b40aa95c1bfa3bf9de763c352973d5

SHA1
8dd28cda924d1c67442b19354630f4df5e6d42be

SHA256
64f383e860a18d9c15cd125e09d4e61abc1b440cc44b638d8836b4e39246e86c

SHA512
5232d3490e9c21a0ee3aaf48f1e9a09e15f6b0faade88b66784dee1647fef42e179426fb2e7e75417d81351d4163174b96391b51a21f922cc392b03422475da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\setup.exe

Filesize
28KB

MD5
2b788ad1a086a2f2292055da41dbfa8b

SHA1
155dc2168417cbcfd178d52f8d2727891c7d00d8

SHA256
f12ae53bd8aa86dcb52a9535ce50ddc16f89b1ab2ec245483ab01ea7adc0a676

SHA512
763e0f2bcb8676bfa587600446d6a92fc94103a90d8a26d2e91ff954c15abf58155157b59d22d4e62c56f1d89c988b3eeb0f8c355b6316abf1d656cd09d1f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\setup.exe

Filesize
28KB

MD5
2b788ad1a086a2f2292055da41dbfa8b

SHA1
155dc2168417cbcfd178d52f8d2727891c7d00d8

SHA256
f12ae53bd8aa86dcb52a9535ce50ddc16f89b1ab2ec245483ab01ea7adc0a676

SHA512
763e0f2bcb8676bfa587600446d6a92fc94103a90d8a26d2e91ff954c15abf58155157b59d22d4e62c56f1d89c988b3eeb0f8c355b6316abf1d656cd09d1f7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C1E\src.dat

Filesize
144B

MD5
d9b54934f7473815a751ded2573d10df

SHA1
cbcee250760f6e4f07f4097185609f1c5e4ce3dc

SHA256
f189604e7694e8cb11dacdd8e9c9d2066f004032eacbe2306b080875f30e2057

SHA512
703e1e50c099b17b7a0d32c0dbc51406292fb184efcb60c7e8ed11ea27c23b617a7cf775d2ab8da21007467d24278921f2e165f8e9aa0388596ddc18897d4279

Download Submit
C:\Users\Admin\AppData\Local\Temp\5084.exe

Filesize
172KB

MD5
5f1ee9c68f1f69527ad14ea820d007d7

SHA1
321a2bd0c317888f9bd4e78b4db7a11a503e5f7a

SHA256
bc98bf49de1c281f0b56e5670b25d07a47345931a030758c868d8cb9d30c052a

SHA512
e4ee2c039e7c00419ac8bcf3750c923ee5b3797a3ce963c176802221b1ac4c936610fa89d9f28464f90e8847b3ee9c09cd1dece90f7035f111d736018af12e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5084.exe

Filesize
172KB

MD5
5f1ee9c68f1f69527ad14ea820d007d7

SHA1
321a2bd0c317888f9bd4e78b4db7a11a503e5f7a

SHA256
bc98bf49de1c281f0b56e5670b25d07a47345931a030758c868d8cb9d30c052a

SHA512
e4ee2c039e7c00419ac8bcf3750c923ee5b3797a3ce963c176802221b1ac4c936610fa89d9f28464f90e8847b3ee9c09cd1dece90f7035f111d736018af12e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bind_40024.exe

Filesize
40KB

MD5
aa28487894bffbb2f65de8075742928e

SHA1
17d6a301a44ef4ac72578083a22e8ac3ae8cfe59

SHA256
6ec7f475fd8dbe59b12b4f56812d51b15ff17ce2634a3b2fc75d020c2df68381

SHA512
759366d358ee3c36b73ff70d293401e3ba88ffff82564c1f6b5fc5e8c9bf21322c2c4ce3fd02031f72b845f7d026a600336bf54b557feab8b21c2628adeebe5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bind_40024.exe

Filesize
40KB

MD5
aa28487894bffbb2f65de8075742928e

SHA1
17d6a301a44ef4ac72578083a22e8ac3ae8cfe59

SHA256
6ec7f475fd8dbe59b12b4f56812d51b15ff17ce2634a3b2fc75d020c2df68381

SHA512
759366d358ee3c36b73ff70d293401e3ba88ffff82564c1f6b5fc5e8c9bf21322c2c4ce3fd02031f72b845f7d026a600336bf54b557feab8b21c2628adeebe5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lala3.exe

Filesize
422KB

MD5
9fad58db8c3d78cd309855340a9d369c

SHA1
ef6e4a3254fa2fe7d9a63dd10dcd0bf8dea3d914

SHA256
a8a2e56fa9cb56b52ca97bdb0d0fafcbb572278c0779e1dcfe28c558d145f790

SHA512
48337abc60703bdfe80edf4bfe9607f426e3de0e8a974e96b63ea1addb4b6adf459f2c2d44e610ac1231e81dd997041d8014891b91a6d7a88c668a84b691b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lala3.exe

Filesize
422KB

MD5
9fad58db8c3d78cd309855340a9d369c

SHA1
ef6e4a3254fa2fe7d9a63dd10dcd0bf8dea3d914

SHA256
a8a2e56fa9cb56b52ca97bdb0d0fafcbb572278c0779e1dcfe28c558d145f790

SHA512
48337abc60703bdfe80edf4bfe9607f426e3de0e8a974e96b63ea1addb4b6adf459f2c2d44e610ac1231e81dd997041d8014891b91a6d7a88c668a84b691b6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5489.tmp\NSISdl.dll

Filesize
12KB

MD5
c76bd43dfde8ad2ca10bf4e3f87c7fd8

SHA1
5b80013848f1e0176abb5f0c055ab5cf83511a70

SHA256
7bd10e8ac946a15dac219926aecd065ae3a3efa94b71b4aba304a9371c2f6f6e

SHA512
b4f7b65e3b3d5b180c21913b16504134e4ea10a48c16f61db28b89c8840c3bbf5c5e8d9777d8fc550c3e7a6f8bb8779c3bd7bee48bceb7c096b410923352f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5489.tmp\NSISdl.dll

Filesize
12KB

MD5
c76bd43dfde8ad2ca10bf4e3f87c7fd8

SHA1
5b80013848f1e0176abb5f0c055ab5cf83511a70

SHA256
7bd10e8ac946a15dac219926aecd065ae3a3efa94b71b4aba304a9371c2f6f6e

SHA512
b4f7b65e3b3d5b180c21913b16504134e4ea10a48c16f61db28b89c8840c3bbf5c5e8d9777d8fc550c3e7a6f8bb8779c3bd7bee48bceb7c096b410923352f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5489.tmp\NSISdl.dll

Filesize
12KB

MD5
c76bd43dfde8ad2ca10bf4e3f87c7fd8

SHA1
5b80013848f1e0176abb5f0c055ab5cf83511a70

SHA256
7bd10e8ac946a15dac219926aecd065ae3a3efa94b71b4aba304a9371c2f6f6e

SHA512
b4f7b65e3b3d5b180c21913b16504134e4ea10a48c16f61db28b89c8840c3bbf5c5e8d9777d8fc550c3e7a6f8bb8779c3bd7bee48bceb7c096b410923352f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5489.tmp\NSISdl.dll

Filesize
12KB

MD5
c76bd43dfde8ad2ca10bf4e3f87c7fd8

SHA1
5b80013848f1e0176abb5f0c055ab5cf83511a70

SHA256
7bd10e8ac946a15dac219926aecd065ae3a3efa94b71b4aba304a9371c2f6f6e

SHA512
b4f7b65e3b3d5b180c21913b16504134e4ea10a48c16f61db28b89c8840c3bbf5c5e8d9777d8fc550c3e7a6f8bb8779c3bd7bee48bceb7c096b410923352f3e7

Download Submit
C:\Windows\SysWOW64\iedetect.dll

Filesize
19KB

MD5
ae4260a5f77f8abb7da96f7b65049d32

SHA1
1aac9c1b4765aeab674fb5ad50db970cd16a6308

SHA256
f49cb4bf50febe937c0c095089d00451a845d73a28e0e8f4b7ab64c84a28cb73

SHA512
debc15a7dce27950c21839fa5e424ac8cdd9f6648a0d2ebc8cb857a19c78db1b369c13a08a876617b7ffc1001dc51081d8c2a2dec74b85b15dc506c09f87ffe5

Download Submit
C:\Windows\Temp\lala3.exe

Filesize
389KB

MD5
5b74eb529162870d97c69857e3575559

SHA1
846ceaa3ebecc60208f68b2355a90e0976466da0

SHA256
a18910d1f0a154575545009a3c4d3ab99f0794a9f56b1561074d207ef56909c3

SHA512
070d515c07827497481b04b53a9c3c314a5b907f0f2c4299ca17a595ac2fba452d9dffe651415727f0438e882b6428a19128ea242dd4d6fb70206896713ffa97

Download Submit
C:\Windows\Temp\regsvc.exe

Filesize
27KB

MD5
d9dadd759768ce7113b1cee27f1955aa

SHA1
b8434fb24a332c5195687f67119d1ee81f3272bd

SHA256
949def651ebbdec3ac485465dab9d68231f79489cfb63d675d96858116c9ec1b

SHA512
335c7ea60398e8e99c44b531ffff52f59831e34dc48ca6e59cd39b32c79c11f99b05ef3dc3422cbd07df64ecbfda42647895b141de71e6e3813f9b8f7743277b

Download Submit
C:\Windows\temp\_ntee.bat

Filesize
96B

MD5
5dd8e14b95cd5d1b1559775d4fb557e9

SHA1
2d4226d59b75e5f56ac8f2d99c177f962c817678

SHA256
85774cdfe6d927828ba4ac422346cd50632d00026066ee57e543ee1ceebadedc

SHA512
94c1eb58a86fc61aebdd0d0e4d4068caeb0487eb378ccc857090cc9635bb0cc7d5b86533869076250cc9451eba1f6c8c62b9a92ef5d2ab51c6bcdf71cb892fed

Download Submit
C:\Windows\temp\lala3.exe

Filesize
389KB

MD5
5b74eb529162870d97c69857e3575559

SHA1
846ceaa3ebecc60208f68b2355a90e0976466da0

SHA256
a18910d1f0a154575545009a3c4d3ab99f0794a9f56b1561074d207ef56909c3

SHA512
070d515c07827497481b04b53a9c3c314a5b907f0f2c4299ca17a595ac2fba452d9dffe651415727f0438e882b6428a19128ea242dd4d6fb70206896713ffa97

Download Submit
C:\Windows\temp\regsvc.exe

Filesize
27KB

MD5
d9dadd759768ce7113b1cee27f1955aa

SHA1
b8434fb24a332c5195687f67119d1ee81f3272bd

SHA256
949def651ebbdec3ac485465dab9d68231f79489cfb63d675d96858116c9ec1b

SHA512
335c7ea60398e8e99c44b531ffff52f59831e34dc48ca6e59cd39b32c79c11f99b05ef3dc3422cbd07df64ecbfda42647895b141de71e6e3813f9b8f7743277b

Download Submit
memory/1508-152-0x0000000011000000-0x0000000011010000-memory.dmp

Filesize
64KB

Download
memory/1508-154-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1508-149-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3376-137-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3376-136-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3800-158-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3800-168-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4952-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4952-169-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads