14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Size

3.2MB
MD5

9da4d34c63790562fcf7258515d05c45
SHA1

70825648789314017e7557bb14eb84ccdf10a379
SHA256

14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f
SHA512

bbcfe8453c9df563a0cd46a8ee5a699d838e29e3788359845730a0ac7a648b24ef8c38313cb829fd999c10832494177933a8a97fa81a3bcec5f0423c5dc13857
SSDEEP

98304:K1DofoRV6Jt/rDMUNAv7kTfuX48HPcC2P6Cd6cpxujdf:K1EfoKkXv7No6cpMj

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e63-146.dat	acprotect
behavioral2/files/0x0006000000022e63-147.dat	acprotect
behavioral2/files/0x0006000000022e64-149.dat	acprotect
behavioral2/files/0x0006000000022e63-156.dat	acprotect
behavioral2/files/0x0006000000022e63-157.dat	acprotect

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-132-0x0000000000400000-0x0000000000BB2000-memory.dmp	upx
behavioral2/memory/4808-140-0x0000000000400000-0x0000000000BB2000-memory.dmp	upx
behavioral2/files/0x0006000000022e63-146.dat	upx
behavioral2/files/0x0006000000022e63-147.dat	upx
behavioral2/memory/3260-148-0x0000000010000000-0x0000000010136000-memory.dmp	upx
behavioral2/files/0x0006000000022e64-149.dat	upx
behavioral2/memory/4808-150-0x0000000010000000-0x00000000100CA000-memory.dmp	upx
behavioral2/memory/4808-151-0x0000000010000000-0x00000000100CA000-memory.dmp	upx
behavioral2/files/0x0006000000022e63-156.dat	upx
behavioral2/files/0x0006000000022e63-157.dat	upx
behavioral2/memory/4808-158-0x000000000ABE0000-0x000000000AD16000-memory.dmp	upx

Loads dropped DLL 10 IoCs

pid	Process
4204	regsvr32.exe
1292	regsvr32.exe
1128	regsvr32.exe
3260	regsvr32.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ = "_FramerControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}\1.2\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\TypeLib\ = "{00460180-9E5E-11d5-B7C8-B8269041DD57}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\MSCOMCTL.OCX, 12"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer\ = "MSComctlLib.ProgCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ImageListCtrl.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\ = "Microsoft StatusBar Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID\ = "MSComDlg.CommonDialog.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ = "ITabs"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl\CurVer\ = "RICHTEXT.RichtextCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F055-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04C-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED117630-4090-11CF-8981-00AA00688B10}\TypeLib\ = "{3B7C8863-D78F-101B-B9B5-04021C009402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tools\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider\ = "Microsoft Slider Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: SeIncBasePriorityPrivilege	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: 33	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
Token: SeIncBasePriorityPrivilege	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4204	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	81
PID 4808 wrote to memory of 4204	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	81
PID 4808 wrote to memory of 4204	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	81
PID 4808 wrote to memory of 1292	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	82
PID 4808 wrote to memory of 1292	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	82
PID 4808 wrote to memory of 1292	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	82
PID 4808 wrote to memory of 1128	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	83
PID 4808 wrote to memory of 1128	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	83
PID 4808 wrote to memory of 1128	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	83
PID 4808 wrote to memory of 3260	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	86
PID 4808 wrote to memory of 3260	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	86
PID 4808 wrote to memory of 3260	4808	14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe	86

C:\Users\Admin\AppData\Local\Temp\14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe
"C:\Users\Admin\AppData\Local\Temp\14ca781f429f7d84132256ab68c70c28a4d3be86c8ac4d901f9a4ebc303ee93f.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4204
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1292
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1128
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\COMDLG32.OCX

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MSCOMCTL.OCX

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\MYEDITOR.OCX

Filesize
357KB

MD5
bcf2dee897b7c803edcc047c57ed0f47

SHA1
d7d59159cb0fc52ea081a063c6442e117db31a0d

SHA256
484b5c43ed301edd61a738089e500a48203858a42478a3a610ad0009c9899384

SHA512
f1d4bb36ed468fdd65afea692f43852f3aac00774c5fa114036458f2c5cee3362df785943ff852f652ec368d713b995bb5193852549634da1892d366a5b61c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\RICHTX32.OCX

Filesize
207KB

MD5
045a16822822426c305ea7280270a3d6

SHA1
43075b6696bb2d2f298f263971d4d3e48aa4f561

SHA256
318cc48cbcfaba9592956e4298886823cc5f37626c770d6dadbcd224849680c5

SHA512
5a042ff0a05421fb01e0a95a8b62f3ce81f90330daed78f09c7d5d2abcb822a2fe99d00494c3ddd96226287fae51367e264b48b2831a8c080916ce18c0a675fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\skinh_vb6.dll

Filesize
136KB

MD5
cdec482c5149f0cce5546ef506ea033b

SHA1
4ed383e7c9b648d90a9b73b8e690774fd6a7c0c1

SHA256
0089d7ec375ad3852fddb306ff14bd2c195ad667c5f1553a4e19258546c16671

SHA512
eee60bbd1070d33114685d279287b31b8e9d9fd88cdeed0e9eaa153383d4221b2796f32bf9ea33c2ee1d57534801c72f4c887ef927352344ab5b25e24e734846

Download Submit
memory/3260-148-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/4808-140-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/4808-150-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/4808-151-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/4808-132-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/4808-158-0x000000000ABE0000-0x000000000AD16000-memory.dmp

Filesize
1.2MB

Download