4b92e9170ad65663632b3cef184e189d436b9df371af678c873cb6db3c548787

Analysis

max time kernel
89s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thermosolver.exe
Size

3.1MB
MD5

836ee18db5fdece6a291a2e055c080b5
SHA1

47176667344dac733a4f169a6015945e79744e70
SHA256

4b92e9170ad65663632b3cef184e189d436b9df371af678c873cb6db3c548787
SHA512

8293f2317d338c28d184aa573285f4876e2f2aa32d7b6b0cbb11f2493f529611ae6b9c41bf04d84853235027662b7559e4dc4069afc6bf0506bacf1051c14d9a
SSDEEP

98304:0VAGAUe2wHfz+7nvxVA0cGzkmkXuFxnaBeCH+SrlnA9:++Zk/Rwm2CxSfrlni

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1296	INS198A.tmp
1284	Thermo.exe

Loads dropped DLL 18 IoCs

pid	Process
924	thermosolver.exe
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1296	INS198A.tmp
1284	Thermo.exe
1284	Thermo.exe
1284	Thermo.exe
1284	Thermo.exe
1284	Thermo.exe
1284	Thermo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-NUEC6.tmp	INS198A.tmp
File created	C:\Windows\SysWOW64\is-V7G7E.tmp	INS198A.tmp
File created	C:\Windows\SysWOW64\is-TCF1Q.tmp	INS198A.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ThermoSolver\Data\is-CS17K.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-OV9D9.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-GU9DA.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-84M8C.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-USPJV.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-BOCJB.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-9A42B.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\is-8S7C9.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-USP6K.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-3G2V4.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-H64DJ.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-GS6VK.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-QCFVU.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-NIN2K.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-FRH8K.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-U07DP.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\is-0I81N.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-CHGDI.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-T3BO0.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-UMRJG.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-JPLR9.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-1R35A.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-LS4PF.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-JTVM8.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-PVKAK.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-E8N1Q.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-E1FBU.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-VFNOE.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsobaricVLE\is-4F9LO.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-CKCBS.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-8ETMU.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-FRNPJ.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-8IFVN.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-E2OLG.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-UIFIK.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-FSPGH.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-1EECD.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsobaricVLE\is-AS8R8.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-5VI9U.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-SSQJS.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsobaricVLE\is-7LLCQ.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-FEQ32.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-LG20B.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\unins000.dat	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-I03MJ.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-NU1BI.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-T9ICB.tmp	INS198A.tmp
File opened for modification	C:\Program Files (x86)\ThermoSolver\unins000.dat	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-M1LIB.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-13VHN.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-DB8KR.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-QV2JR.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-KO38K.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsobaricVLE\is-51199.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-Q5UKI.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-MSSBE.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-GITBS.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-QG40R.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-V7M7L.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-CAC4V.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-IJ1CO.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\HTMLDocs\is-O3G1I.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-S9Q3F.tmp	INS198A.tmp
File created	C:\Program Files (x86)\ThermoSolver\Data\IsothermalVLE\is-V7Q8U.tmp	INS198A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\ = "Microsoft FlexGrid Control, version 6.0"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSFlexGridLib.MSFlexGrid.1\ = "Microsoft FlexGrid Control, version 6.0"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{609602E0-531B-11CF-91F6-C2863C385E30}\TypeLib\Version = "1.0"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004}\TypeLib\Version = "1.3"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\ProxyStubClsid32	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\ProxyStubClsid32	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Version	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E63A3-850A-101B-AFC0-4210102A8DA7}\ = "Panel Property Page Object"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7}\ = "IImage10"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ = "ISlider"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7}	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR\	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{609602E0-531B-11CF-91F6-C2863C385E30}\ProxyStubClsid32	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider\CLSID\ = "{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ = "IPanel"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ = "AsyncProperty_VB5"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer\ = "MSComDlg.CommonDialog.1"	INS198A.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D96-9D6A-101B-AFC0-4210102A8DA7}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl\CLSID	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\ProxyStubClsid32	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F4DF280-531B-11CF-91F6-C2863C385E30}\TypeLib	INS198A.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F6AA700-D188-11CD-AD48-00AA003C9CB6}\TypeLib\ = "{5E9E78A0-531B-11CF-91F6-C2863C385E30}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{609602E0-531B-11CF-91F6-C2863C385E30}\TypeLib\ = "{5E9E78A0-531B-11CF-91F6-C2863C385E30}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ = "ICommonDialogEvents"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ = "DataObjectFiles"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ProgID	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E88-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACBB957-5C57-11CF-8993-00AA00688B10}\InprocServer32\ = "C:\\Windows\\SysWow64\\Comctl32.ocx"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ = "IListItem11"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider\CurVer\ = "COMCTL.Slider.1"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.ProgCtrl.1"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCFB3D2B-A0FA-1068-A738-08002B3371B5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32	INS198A.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\ = "IColumnHeader11"	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E791-850A-101B-AFC0-4210102A8DA7}\TypeLib	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}	INS198A.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	INS198A.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1284	Thermo.exe
1284	Thermo.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 924 wrote to memory of 1296	924	thermosolver.exe	28
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30
PID 1296 wrote to memory of 1284	1296	INS198A.tmp	30

C:\Users\Admin\AppData\Local\Temp\thermosolver.exe
"C:\Users\Admin\AppData\Local\Temp\thermosolver.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\INS198A.tmp
  C:\Users\Admin\AppData\Local\Temp\INS198A.tmp /SL3 $80122 C:\Users\Admin\AppData\Local\Temp\thermosolver.exe 3249063 3252477 61952
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files (x86)\ThermoSolver\Thermo.exe
    "C:\Program Files (x86)\ThermoSolver\Thermo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ThermoSolver\Data\SpeciesDatabase

Filesize
55KB

MD5
c3b1b0eaa7f8f561f43d6bb1708ae5a3

SHA1
6372c1cfebbddc73d85ebe2665323e43f2da5450

SHA256
2b7c37b3e1dd79c9eec61f0dee600dd75c70e5b4d9ff5760f2928e4994010aed

SHA512
c75f4a175f03485441c167c8eb7aac724bc17835a05ed1aec65c0a768d58f922fad59109e847f1411b8ee39081d6d4eca2a52707fd5f4da17be59fd5df3ba767

Download Submit
C:\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
C:\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
C:\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
C:\Program Files (x86)\ThermoSolver\math.dll

Filesize
56KB

MD5
bef0060819330b459771773d18106793

SHA1
c49f222e18848c4ca7c78eea8427f453fce536c8

SHA256
9df55a5336e7b64153c7e529bac958613db192f5a5c77a08b018cca2a5586521

SHA512
5c47ba83592e455721dbb40e07d4f102e79b73ddbb7e53c634a701f2e0e8d633f4e4d7aacb241abd0e1162a9cea2598b6c27708de8557ecc64ff57b46003a3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS198A.tmp

Filesize
377KB

MD5
ec2a3559ef793d976d3f72252ade0b68

SHA1
1673ad41b3683d9fde4e331ef97711af05c4c014

SHA256
995ca25e8ac883429e67e2985887c2dc122e4d3cca48d6ab5b545e6a896ae2e1

SHA512
a9f77b1735eb88e3ed790a0bb00637a616c33414cbb6f0b582322759a3bea3bf2fd7a334f92c17dd9f1669acdacc7551611ecedb80c11e999ddd120f104355b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\INS198A.tmp

Filesize
377KB

MD5
ec2a3559ef793d976d3f72252ade0b68

SHA1
1673ad41b3683d9fde4e331ef97711af05c4c014

SHA256
995ca25e8ac883429e67e2985887c2dc122e4d3cca48d6ab5b545e6a896ae2e1

SHA512
a9f77b1735eb88e3ed790a0bb00637a616c33414cbb6f0b582322759a3bea3bf2fd7a334f92c17dd9f1669acdacc7551611ecedb80c11e999ddd120f104355b1

Download Submit
C:\Windows\SysWow64\Comctl32.ocx

Filesize
590KB

MD5
89ee5d03c1afabe74cc869e286f58147

SHA1
a349b9e570a63f5cabad4ac18c83a7f6bfdb5551

SHA256
1b9280afa21cd08ade1317f2bd9c0f31d31f75e358673046262eb4127fe27a05

SHA512
c352d59a1d51ef07e1f35b973e046b4b7ce63d6347c7a189e525ba3f781694ef385952e582a632bf491c67682deac2b5ae33e378eb741ee018d51d276337b523

Download Submit
C:\Windows\SysWow64\msflxgrd.ocx

Filesize
238KB

MD5
07bae8106a135df779abc46ec603ea09

SHA1
be98c98a35da6ced57b7fc3c2fc933efa84b4273

SHA256
4e592240b745546c15e95e26b2547cec86352a49ee1ef79b3e3d28df8b5a0e70

SHA512
6ab494ea9e1c633969d5fe6c14411ec20f7073e464e2738c545deefbdc5fb84fb26ff3e9641236cf1afb4d90633437cd312ff5c665c0c8f462c101a957fffbeb

Download Submit
\Program Files (x86)\ThermoSolver\DocView.exe

Filesize
688KB

MD5
401af969811683d7c102fd10646b281e

SHA1
42d002841821b820f91cd883286ebf0d54549826

SHA256
17c2ec4be37baddf010a4baa22d9a7b03862de4082563e0cd628ddbd6c1fd1c6

SHA512
f582a1794e64f83cb4266de756a2f66ec8ce909925b5c60a71bae5b37e7620e927836c9e1a5a61d06834519e34d9af49b036a093dcb2f26178ec8d7037dc7f9b

Download Submit
\Program Files (x86)\ThermoSolver\Math.dll

Filesize
56KB

MD5
bef0060819330b459771773d18106793

SHA1
c49f222e18848c4ca7c78eea8427f453fce536c8

SHA256
9df55a5336e7b64153c7e529bac958613db192f5a5c77a08b018cca2a5586521

SHA512
5c47ba83592e455721dbb40e07d4f102e79b73ddbb7e53c634a701f2e0e8d633f4e4d7aacb241abd0e1162a9cea2598b6c27708de8557ecc64ff57b46003a3f5

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\Thermo.exe

Filesize
1.4MB

MD5
b26a6ec883c819f41fcfb5fd6fdf8587

SHA1
dd7b88b4d0713c0e02e17e9c21ada8fc89173f5a

SHA256
eee0e2a64cd0f2554972ce64c400a11cd6c5a76e2a43d82f3cb9475ce9f3b318

SHA512
ed362967348c5f1076cdaf49c3d8aa0544f82583e312c04b4b2b4b5b496478a40ad505e66a985928b7086d3955cc200147809d6f56ff63374bd3e2cd60a9bfa6

Download Submit
\Program Files (x86)\ThermoSolver\unins000.exe

Filesize
69KB

MD5
4430cc72b3a69e91f42043950461fbd1

SHA1
23ba36fbb3c9fc3550ac0a1b741b98b664c82832

SHA256
50c32b8b80073c71dddb3997b147e9903e60ac6ee5c25df237bfce83cbbda646

SHA512
525d41749f571e951610cf6088a19a4ecaf8a299a2369610a79ab9ee5b5fe50cebd012fc0aa7302cf1ee6dc24fba841c2eb98dde5d0c6cacdd0bcbc17b2fa834

Download Submit
\Users\Admin\AppData\Local\Temp\INS198A.tmp

Filesize
377KB

MD5
ec2a3559ef793d976d3f72252ade0b68

SHA1
1673ad41b3683d9fde4e331ef97711af05c4c014

SHA256
995ca25e8ac883429e67e2985887c2dc122e4d3cca48d6ab5b545e6a896ae2e1

SHA512
a9f77b1735eb88e3ed790a0bb00637a616c33414cbb6f0b582322759a3bea3bf2fd7a334f92c17dd9f1669acdacc7551611ecedb80c11e999ddd120f104355b1

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHKAM.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHKAM.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Windows\SysWOW64\Comctl32.ocx

Filesize
590KB

MD5
89ee5d03c1afabe74cc869e286f58147

SHA1
a349b9e570a63f5cabad4ac18c83a7f6bfdb5551

SHA256
1b9280afa21cd08ade1317f2bd9c0f31d31f75e358673046262eb4127fe27a05

SHA512
c352d59a1d51ef07e1f35b973e046b4b7ce63d6347c7a189e525ba3f781694ef385952e582a632bf491c67682deac2b5ae33e378eb741ee018d51d276337b523

Download Submit
\Windows\SysWOW64\Comctl32.ocx

Filesize
590KB

MD5
89ee5d03c1afabe74cc869e286f58147

SHA1
a349b9e570a63f5cabad4ac18c83a7f6bfdb5551

SHA256
1b9280afa21cd08ade1317f2bd9c0f31d31f75e358673046262eb4127fe27a05

SHA512
c352d59a1d51ef07e1f35b973e046b4b7ce63d6347c7a189e525ba3f781694ef385952e582a632bf491c67682deac2b5ae33e378eb741ee018d51d276337b523

Download Submit
\Windows\SysWOW64\Comdlg32.ocx

Filesize
137KB

MD5
d76f0eab36f83a31d411aeaf70da7396

SHA1
9bc145b54500fb6fbea9be61fbdd90f65fd1bc14

SHA256
46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c

SHA512
9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d

Download Submit
\Windows\SysWOW64\msflxgrd.ocx

Filesize
238KB

MD5
07bae8106a135df779abc46ec603ea09

SHA1
be98c98a35da6ced57b7fc3c2fc933efa84b4273

SHA256
4e592240b745546c15e95e26b2547cec86352a49ee1ef79b3e3d28df8b5a0e70

SHA512
6ab494ea9e1c633969d5fe6c14411ec20f7073e464e2738c545deefbdc5fb84fb26ff3e9641236cf1afb4d90633437cd312ff5c665c0c8f462c101a957fffbeb

Download Submit
\Windows\SysWOW64\msflxgrd.ocx

Filesize
238KB

MD5
07bae8106a135df779abc46ec603ea09

SHA1
be98c98a35da6ced57b7fc3c2fc933efa84b4273

SHA256
4e592240b745546c15e95e26b2547cec86352a49ee1ef79b3e3d28df8b5a0e70

SHA512
6ab494ea9e1c633969d5fe6c14411ec20f7073e464e2738c545deefbdc5fb84fb26ff3e9641236cf1afb4d90633437cd312ff5c665c0c8f462c101a957fffbeb

Download Submit
memory/924-416-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/924-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1296-410-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1296-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1296-67-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1296-391-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download