6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97

Analysis

max time kernel
35s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
Size

1.7MB
MD5

89201e297ca802d7abbcca8058da1263
SHA1

da607c6ddd1d435586df4ce78ede849a8a020cc7
SHA256

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97
SHA512

422021c21bf3253a455a0bb5cb8041e5837eba73ec2465775d1f28fd08fd1b5e64fea19bb649cef22cf32a942475835e05a2dc71d7905a75e7f275fe849a66e8
SSDEEP

49152:dIk3o0nifve558Z9TpaPGsDJPS0JLCWn4DXf1dSthVHrjW:p40UW+9Tpf8JPS0JWWSXNdSthVHG

Score

9^/10

adware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp	acprotect

Executes dropped EXE 4 IoCs

Processes:

GLJ1317.tmpGLJ1317.tmpGLJ1317.tmpGLJ1317.tmp

pid process

1008 GLJ1317.tmp
1336 GLJ1317.tmp
1488 GLJ1317.tmp
636 GLJ1317.tmp

pid	process
1008	GLJ1317.tmp
1336	GLJ1317.tmp
1488	GLJ1317.tmp
636	GLJ1317.tmp

Loads dropped DLL 38 IoCs

Processes:

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exeGLJ1317.tmpGLJ1317.tmpGLJ1317.tmpGLJ1317.tmp

pid	process
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1008	GLJ1317.tmp
1008	GLJ1317.tmp
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1336	GLJ1317.tmp
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
1488	GLJ1317.tmp
1488	GLJ1317.tmp
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
636	GLJ1317.tmp
636	GLJ1317.tmp
1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9123D9E-EA11-4535-9DF7-5DB6F91812D1}	regedit.exe

Drops file in System32 directory 23 IoCs

Processes:

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\vbbho.tlb	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\olelib.tlb	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\olelib2.tlb	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\temp.000	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\shdocvw.dll	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0007.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\insbho.reg	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0009.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0002.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0005.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\Urlmon.idl	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0003.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0004.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\Mscomctl.ocx	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0006.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0001.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\urlmon.tlb	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Windows\SysWOW64\VBBHO.dll	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\temp.002	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\temp.001	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Windows\SysWOW64\~GLH0008.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

Drops file in Program Files directory 43 IoCs

Processes:

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

description	ioc	process
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0016.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001a.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001c.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\insbar.reg	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\PROGRA~2\HXPPIE~1\UninstallBar.exe	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\PROGRA~2\HXPPIE~1\HXScreenZoom.exe	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\PROGRA~2\HXPPIE~1\HXIEView.exe	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateSecSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateFinanceSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001f.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateGameSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateFindSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateMusicSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0021.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\PROGRA~2\HXPPIE~1\INSTALL.LOG	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0019.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateMovieSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateOtherSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH000b.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH000c.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\PROGRA~2\HXPPIE~1\temp.000	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0015.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0017.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\PROGRA~2\HXPPIE~1\INSTALL.LOG	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateSearchSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateSoftDownSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH000d.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0018.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001e.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateNewsSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateBookSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0022.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\insname.reg	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH000f.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001d.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateBlogSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH0020.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\HotKeyword.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\PROGRA~2\HXPPIE~1\PopocyBar.dll	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH0011.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\~GLH0013.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File created	C:\Program Files (x86)\HXPPIEBar\data\~GLH001b.TMP	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
File opened for modification	C:\Program Files (x86)\HXPPIEBar\data\NavigateMailSite.dat	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

GLJ1317.tmpregedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{691AFBC1-3C46-406D-AD22-EB3A0F665FC1} = "PopocyToolBar"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	GLJ1317.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	GLJ1317.tmp

Modifies registry class 64 IoCs

Processes:

GLJ1317.tmpGLJ1317.tmpGLJ1317.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Version	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\ProgID\ = "MSComctlLib.Slider.2"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{986A813E-B21A-4ABF-B5FF-210703696177}\TypeLib\ = "{17142606-0B04-47C0-B0FF-B7EC368F559A}"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar.2\CLSID\ = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Control	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\VersionIndependentProgID\ = "MSComctlLib.ImageComboCtl"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5972C6EB-3DF9-432C-9054-6ECE3DCA9305}\ = "_MyBHO"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Version	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ = "Microsoft ImageList Control 6.0 (SP6)"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{362E8AA4-00A6-4082-801A-C199026D15DC}\ProxyStubClsid	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TabStrip.2	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\ProgID	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Version\ = "2.0"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}\InprocServer32	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Version	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID\ = "{8E3867A3-8586-11D1-B16A-00C0F0283628}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\TypeLib	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\ToolboxBitmap32	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\TypeLib	GLJ1317.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\VersionIndependentProgID\ = "MSComctlLib.ListViewCtrl"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\ = "Microsoft Toolbar Control 6.0 (SP6)"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\MiscStatus\ = "0"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Version	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{17142606-0B04-47C0-B0FF-B7EC368F559A}\9.0\FLAGS\ = "0"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{362E8AA4-00A6-4082-801A-C199026D15DC}\TypeLib\Version = "9.0"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\InprocServer32	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\TypeLib	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}\ = "Slider Appearance Property Page Object"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Version\ = "2.0"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{986A813E-B21A-4ABF-B5FF-210703696177}	GLJ1317.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ = "IColumnHeader"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\ = "IStatusBarEvents"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\InprocServer32\ThreadingModel = "Apartment"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Version	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\ = "IListSubItem"	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	GLJ1317.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16621B97-A033-45C9-9BBD-CE3A455C65E4}\4.0	GLJ1317.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CurVer\ = "MSComctlLib.Toolbar.2"	GLJ1317.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	GLJ1317.tmp

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

1372 regedit.exe
1512 regedit.exe
1988 regedit.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

pid process

1968 6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

pid	process
1372	regedit.exe
1512	regedit.exe
1988	regedit.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe

description	pid	process	target process
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1008	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1336	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1488	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 636	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	GLJ1317.tmp
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1372	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1512	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe
PID 1968 wrote to memory of 1988	1968	6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe
"C:\Users\Admin\AppData\Local\Temp\6038f53fcc92024b8030615e397ab156e14eab572e4fc36a88cfc095e9f87e97.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp" C:\Windows\System32\MSCOMCTL.OCX
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:1008

C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp" C:\Windows\System32\shdocvw.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336

C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp" C:\Windows\System32\VBBHO.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1488

C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp" C:\Program Files (x86)\HXPPIEBar\PopocyBar.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:636

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\system32\insbho.reg
2⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
PID:1372

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\PROGRA~2\HXPPIE~1\insbar.reg
2⤵
- Modifies Internet Explorer settings
- Runs .reg file with regedit
PID:1512

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\PROGRA~2\HXPPIE~1\insname.reg
2⤵
- Runs .reg file with regedit
PID:1988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HXPPIEBar\PopocyBar.dll
Filesize
136KB

MD5
98b437208f78676a4753adfab45060b5

SHA1
53eabc16b53ac65471fef37daa573392ea9a03a1

SHA256
5625eef7304bfb1f46af41852f7b51b0f1f7d9b858b1bde976399a9f65b43f0d

SHA512
1dfebe72e4e8030b59794bff94a7ef7c1a261a95ffe41c23fa768f05d01a009ad3a7180c3acfc0ddc2eba96e45e5e9cc8fb852e25ad04787e4273f084e7bbdab

Download Submit
C:\Program Files (x86)\HXPPIEBar\insbar.reg
Filesize
137B

MD5
632ba635bb2db1aabd0dc93ae0acfa77

SHA1
91360e5ce3b28d3d8bd7fcd151b76dae5475d9b2

SHA256
eb2dca8606539a8d31950f0dbb01cf702af1ad5565a29671efb227983995ba1f

SHA512
557e198218fed851697ccd3d5a4b8f505264868aeb2813fbaeb0e2056fd7241fe578b763e49fa724c7e81359b570c72b02764329a40bcd6ca063fbb86630a54a

Download Submit
C:\Program Files (x86)\HXPPIEBar\insname.reg
Filesize
236B

MD5
0e9c8739af52643d10d040ea66264c7b

SHA1
aaf476ee4bd41ac02508cafcfafedb89e02358eb

SHA256
35e3396eba84c1ebe96a51a6cc9022dad194cf84625a5b4078abc39fa8bc21aa

SHA512
287d9f7ef6cfea9de483dbd0d64f8b7dbfddb1f4527557202da99a01d0ca1177a0bf3a57ed2fa3d049eea35b06ed9bdea2d8c761fa55330d41cf2d611b2bc1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\SysWOW64\VBBHO.dll
Filesize
52KB

MD5
ab5dbfb0c3eade2952cb87c0474cc7b4

SHA1
9ea5b9449a21039bfa4cb1f56df805cf5e45c6bd

SHA256
f8d1b5736cb034514921d94ead905af3bf1e7ba38f92142a04afd789b1a7873d

SHA512
b52b7282674238b72056a240587c57c46b0cca798e4f67b0a8413b38ae2d0a566a18f11290578f2cde42d586d70cc2195378aeecbb9849398bcb94e197f234ed

Download Submit
C:\Windows\SysWOW64\insbho.reg
Filesize
356B

MD5
5d7a4f75adf787b5a7c372f4e167ee47

SHA1
31ddb2e988c55bb4cad9482b833b8a7a4499c99c

SHA256
e38b02b5b3899a7efb0bda031fc0b2b2355e49a8972d28f4eca29829e7a50fcf

SHA512
e4677561faaa3ded165549043bda4ca95d92c181e2c1a572db339549d1e6d79767f2183fa293c047e9ec88d2add06d47d5d44812f9b56136a24119bcd8ff87ca

Download Submit
\PROGRA~2\HXPPIE~1\HXIEView.exe
Filesize
28KB

MD5
ccc3a816fbd593e48e99dc6a012cc23a

SHA1
f65120cc9c054c64dc7c5efaf615b40985271eca

SHA256
40dc3d7ab3845f4e9c66579dcc2348416e6ad98b620106e6152e57423e2f4dbf

SHA512
b3af1422ab2bf7fdad9dec62380c683ee3009a0bf48a29a368f789b9549dcace4aaf8d3d78d32ba2e421f5ddf5fdf80a6bb6ecb07c67b16a5b01a0c8c498408a

Download Submit
\PROGRA~2\HXPPIE~1\HXIEView.exe
Filesize
28KB

MD5
ccc3a816fbd593e48e99dc6a012cc23a

SHA1
f65120cc9c054c64dc7c5efaf615b40985271eca

SHA256
40dc3d7ab3845f4e9c66579dcc2348416e6ad98b620106e6152e57423e2f4dbf

SHA512
b3af1422ab2bf7fdad9dec62380c683ee3009a0bf48a29a368f789b9549dcace4aaf8d3d78d32ba2e421f5ddf5fdf80a6bb6ecb07c67b16a5b01a0c8c498408a

Download Submit
\PROGRA~2\HXPPIE~1\HXSCRE~1.EXE
Filesize
48KB

MD5
6066d7bea62593af0393240d368118d6

SHA1
a6b1f9ee7b8383310ae5ffea4f52b5d703ed2d94

SHA256
c8fbc35dacf0449801bef56906076ce1e1da690c647d195ba8550eb7f1554b13

SHA512
70c219f2362b80fd33e022700338b619e3916b62c54942c2676ce9577728f06b11d7c5f8a1dfaa844b5157c79f67f3f84001c912c06299367a63aa73ecc61563

Download Submit
\PROGRA~2\HXPPIE~1\HXSCRE~1.EXE
Filesize
48KB

MD5
6066d7bea62593af0393240d368118d6

SHA1
a6b1f9ee7b8383310ae5ffea4f52b5d703ed2d94

SHA256
c8fbc35dacf0449801bef56906076ce1e1da690c647d195ba8550eb7f1554b13

SHA512
70c219f2362b80fd33e022700338b619e3916b62c54942c2676ce9577728f06b11d7c5f8a1dfaa844b5157c79f67f3f84001c912c06299367a63aa73ecc61563

Download Submit
\PROGRA~2\HXPPIE~1\POPOCY~1.DLL
Filesize
136KB

MD5
98b437208f78676a4753adfab45060b5

SHA1
53eabc16b53ac65471fef37daa573392ea9a03a1

SHA256
5625eef7304bfb1f46af41852f7b51b0f1f7d9b858b1bde976399a9f65b43f0d

SHA512
1dfebe72e4e8030b59794bff94a7ef7c1a261a95ffe41c23fa768f05d01a009ad3a7180c3acfc0ddc2eba96e45e5e9cc8fb852e25ad04787e4273f084e7bbdab

Download Submit
\PROGRA~2\HXPPIE~1\POPOCY~1.DLL
Filesize
136KB

MD5
98b437208f78676a4753adfab45060b5

SHA1
53eabc16b53ac65471fef37daa573392ea9a03a1

SHA256
5625eef7304bfb1f46af41852f7b51b0f1f7d9b858b1bde976399a9f65b43f0d

SHA512
1dfebe72e4e8030b59794bff94a7ef7c1a261a95ffe41c23fa768f05d01a009ad3a7180c3acfc0ddc2eba96e45e5e9cc8fb852e25ad04787e4273f084e7bbdab

Download Submit
\PROGRA~2\HXPPIE~1\POPOCY~1.DLL
Filesize
136KB

MD5
98b437208f78676a4753adfab45060b5

SHA1
53eabc16b53ac65471fef37daa573392ea9a03a1

SHA256
5625eef7304bfb1f46af41852f7b51b0f1f7d9b858b1bde976399a9f65b43f0d

SHA512
1dfebe72e4e8030b59794bff94a7ef7c1a261a95ffe41c23fa768f05d01a009ad3a7180c3acfc0ddc2eba96e45e5e9cc8fb852e25ad04787e4273f084e7bbdab

Download Submit
\PROGRA~2\HXPPIE~1\UNINST~1.EXE
Filesize
64KB

MD5
aa253e4653ac32d74665270c2fe3770d

SHA1
ccf58eb9b761d66a01a0d672426ddf8ee944d8fb

SHA256
421f2ebc9ac094ad891c90e4e6381e30a62bf7922559e36ddb090e0d4c4f8718

SHA512
90832e713430f6af3475b503cd8d28af50bb14f53b11e2072ccbb963b3579777fba2c3f92e80371f12b0796b1bfcdc53b6fb2b456fade7be2b8d2db65be21efc

Download Submit
\PROGRA~2\HXPPIE~1\UNINST~1.EXE
Filesize
64KB

MD5
aa253e4653ac32d74665270c2fe3770d

SHA1
ccf58eb9b761d66a01a0d672426ddf8ee944d8fb

SHA256
421f2ebc9ac094ad891c90e4e6381e30a62bf7922559e36ddb090e0d4c4f8718

SHA512
90832e713430f6af3475b503cd8d28af50bb14f53b11e2072ccbb963b3579777fba2c3f92e80371f12b0796b1bfcdc53b6fb2b456fade7be2b8d2db65be21efc

Download Submit
\Users\Admin\AppData\Local\Temp\GLC12F7.tmp
Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLF1C8E.tmp
Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
\Users\Admin\AppData\Local\Temp\GLJ1317.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
\Users\Admin\AppData\Local\Temp\GLK1634.tmp
Filesize
33KB

MD5
07631941f67818659e0e97932224886f

SHA1
a5fa37d427480b569fa858ec66cca2a85d35a40d

SHA256
d73170ea2688da5f6f37d4ca70b72dbc061abd47615269968563b5fcbd74dd9c

SHA512
fbd217add3e1897281de80e2bd935b1251812744264fc5c9a77e88615c18d97a3c01d4f75165d80f3a067369b9e679500e836ec39fafc11d5a40b0054e83d510

Download Submit
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\zbk11FC.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\SysWOW64\MSCOMCTL.OCX
Filesize
1.0MB

MD5
d7eef2c46a9880f21be01511024b53ab

SHA1
4a9e7331cd708e337dc2fa070adb5457eb36619d

SHA256
e3f1703811d35df81beef2441d6f0fb06eeda47adbbfcf04e5add99a58d815ba

SHA512
5608ed768ea7518a91be36842665d211b97082dd2732edddeb03713c602224f988acbcffae38be9a552201cbc69338edaee51eee3c56e1aec82e50f3ce7de79c

Download Submit
\Windows\SysWOW64\MSCOMCTL.OCX
Filesize
1.0MB

MD5
d7eef2c46a9880f21be01511024b53ab

SHA1
4a9e7331cd708e337dc2fa070adb5457eb36619d

SHA256
e3f1703811d35df81beef2441d6f0fb06eeda47adbbfcf04e5add99a58d815ba

SHA512
5608ed768ea7518a91be36842665d211b97082dd2732edddeb03713c602224f988acbcffae38be9a552201cbc69338edaee51eee3c56e1aec82e50f3ce7de79c

Download Submit
\Windows\SysWOW64\MSCOMCTL.OCX
Filesize
1.0MB

MD5
d7eef2c46a9880f21be01511024b53ab

SHA1
4a9e7331cd708e337dc2fa070adb5457eb36619d

SHA256
e3f1703811d35df81beef2441d6f0fb06eeda47adbbfcf04e5add99a58d815ba

SHA512
5608ed768ea7518a91be36842665d211b97082dd2732edddeb03713c602224f988acbcffae38be9a552201cbc69338edaee51eee3c56e1aec82e50f3ce7de79c

Download Submit
\Windows\SysWOW64\MSCOMCTL.OCX
Filesize
1.0MB

MD5
d7eef2c46a9880f21be01511024b53ab

SHA1
4a9e7331cd708e337dc2fa070adb5457eb36619d

SHA256
e3f1703811d35df81beef2441d6f0fb06eeda47adbbfcf04e5add99a58d815ba

SHA512
5608ed768ea7518a91be36842665d211b97082dd2732edddeb03713c602224f988acbcffae38be9a552201cbc69338edaee51eee3c56e1aec82e50f3ce7de79c

Download Submit
\Windows\SysWOW64\VBBHO.dll
Filesize
52KB

MD5
ab5dbfb0c3eade2952cb87c0474cc7b4

SHA1
9ea5b9449a21039bfa4cb1f56df805cf5e45c6bd

SHA256
f8d1b5736cb034514921d94ead905af3bf1e7ba38f92142a04afd789b1a7873d

SHA512
b52b7282674238b72056a240587c57c46b0cca798e4f67b0a8413b38ae2d0a566a18f11290578f2cde42d586d70cc2195378aeecbb9849398bcb94e197f234ed

Download Submit
\Windows\SysWOW64\temp.000
Filesize
1.0MB

MD5
f7bbb7d79adb9e3adc13f3b3c33d3d4d

SHA1
cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a

SHA256
18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006

SHA512
4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e

Download Submit
\Windows\SysWOW64\temp.001
Filesize
1.4MB

MD5
0c5974f803953a02862c405b226a7980

SHA1
bb288def1458817168107104ccd77d65429ac395

SHA256
edcdd048a42a907717725ea3cdd9347b1f3db21cd65ae8c8b989839f594421f8

SHA512
abdfc95c06bf7e5b0841c6afe6eda89c1c2696080ca1d65745bdb04a8abbc4d32a940add8520547530635abbc0496a75c1228cb1ae33032a8ed83d7320b440c8

Download Submit
\Windows\SysWOW64\~GLH0005.TMP
Filesize
1.0MB

MD5
f7bbb7d79adb9e3adc13f3b3c33d3d4d

SHA1
cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a

SHA256
18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006

SHA512
4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e

Download Submit
\Windows\SysWOW64\~GLH0005.TMP
Filesize
1.0MB

MD5
f7bbb7d79adb9e3adc13f3b3c33d3d4d

SHA1
cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a

SHA256
18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006

SHA512
4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e

Download Submit
memory/636-115-0x0000000000480000-0x00000000004F3000-memory.dmp

Filesize
460KB

Download
memory/636-109-0x0000000000000000-mapping.dmp

Download
memory/1008-85-0x0000000000000000-mapping.dmp

Download
memory/1008-92-0x0000000000830000-0x00000000008A3000-memory.dmp

Filesize
460KB

Download
memory/1008-94-0x0000000000830000-0x00000000008A3000-memory.dmp

Filesize
460KB

Download
memory/1336-100-0x0000000000410000-0x0000000000483000-memory.dmp

Filesize
460KB

Download
memory/1336-95-0x0000000000000000-mapping.dmp

Download
memory/1372-117-0x0000000000000000-mapping.dmp

Download
memory/1488-101-0x0000000000000000-mapping.dmp

Download
memory/1488-107-0x0000000000380000-0x00000000003F3000-memory.dmp

Filesize
460KB

Download
memory/1512-120-0x0000000000000000-mapping.dmp

Download
memory/1968-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1968-59-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1968-116-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1968-58-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-127-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1968-128-0x0000000000280000-0x00000000002F3000-memory.dmp

Filesize
460KB

Download
memory/1988-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads