5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
Size

8.6MB
MD5

7ad4d73790a03a185a20aaacf53fc111
SHA1

963d544082f1a077b739e3dd5cc814f8aab111ab
SHA256

5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f
SHA512

9d321f1517f0841f4738a651d005fb81f287bf8a27a025aad09b2271fa7d7e15f8f28aef63bcd8431a8a0b2f658cfc9741d361670cc54174d4c3fa614d07c7ed
SSDEEP

98304:RixzZBvbEV7Vtkp6RF49yd5hsob5vf/DrQsUYHHsPNE2RuCR1XCXjx/b9cvXEn1p:AxzrI6wRF49yd57b9OzVuCRJKjh4g1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 17 IoCs

pid	Process
2856	regsvr32.exe
1908	regsvr32.exe
4376	regsvr32.exe
3676	regsvr32.exe
1700	regsvr32.exe
2880	regsvr32.exe
3656	regsvr32.exe
4396	regsvr32.exe
2640	regsvr32.exe
3736	regsvr32.exe
3736	regsvr32.exe
4264	regsvr32.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mbaxp.ocx	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\msstdfmt.dll	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\TABCTL32.OCX	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\mscomm32.ocx	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\c4501v.dll	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\ago4501.dll	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\comctl32.ocx	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\MMatrix.dll	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\v4501v.dll	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.ocx	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}\AlternateCLSID = "{F6565773-FA54-45E9-941C-2505E54D5710}"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1\ = "132499"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\VersionIndependentProgID\ = "COMCTL.Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCOMMLib.MSComm.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "165265"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ = "IPanel"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8B0-850A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{648A5602-2C6E-101B-82B6-000000000014}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\ = "ImageList General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924E3CB2-4AA0-11D3-B81B-444553540001}\TypeLib\Version = "35.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32\ = "C:\\Windows\\SysWow64\\comdlg32.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00CE2D84-06EC-4714-87C4-31CB8314B159}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D93-9D6A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E953-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E88-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\ = "Common Dialog Help Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl\ = "Microsoft StatusBar Control, version 5.0 (SP2)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.SBarCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCOMMLib.MSComm\CLSID\ = "{648A5600-2C6E-101B-82B6-000000000014}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{648A5602-2C6E-101B-82B6-000000000014}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E88-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\ = "ITreeView"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\TypeLib\Version = "1.3"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{648A5604-2C6E-101B-82B6-000000000014}\ = "MSComm General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0FC8A81-2CB2-101B-82B6-000000000014}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\1	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2856	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	83
PID 4896 wrote to memory of 2856	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	83
PID 4896 wrote to memory of 2856	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	83
PID 4896 wrote to memory of 1908	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	84
PID 4896 wrote to memory of 1908	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	84
PID 4896 wrote to memory of 1908	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	84
PID 4896 wrote to memory of 4376	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	85
PID 4896 wrote to memory of 4376	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	85
PID 4896 wrote to memory of 4376	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	85
PID 4896 wrote to memory of 3676	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	86
PID 4896 wrote to memory of 3676	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	86
PID 4896 wrote to memory of 3676	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	86
PID 4896 wrote to memory of 1700	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	87
PID 4896 wrote to memory of 1700	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	87
PID 4896 wrote to memory of 1700	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	87
PID 4896 wrote to memory of 2880	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	88
PID 4896 wrote to memory of 2880	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	88
PID 4896 wrote to memory of 2880	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	88
PID 4896 wrote to memory of 3656	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	89
PID 4896 wrote to memory of 3656	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	89
PID 4896 wrote to memory of 3656	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	89
PID 4896 wrote to memory of 4396	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	90
PID 4896 wrote to memory of 4396	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	90
PID 4896 wrote to memory of 4396	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	90
PID 4896 wrote to memory of 2640	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	91
PID 4896 wrote to memory of 2640	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	91
PID 4896 wrote to memory of 2640	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	91
PID 4896 wrote to memory of 3736	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	92
PID 4896 wrote to memory of 3736	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	92
PID 4896 wrote to memory of 3736	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	92
PID 4896 wrote to memory of 4264	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	94
PID 4896 wrote to memory of 4264	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	94
PID 4896 wrote to memory of 4264	4896	5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe	94

C:\Users\Admin\AppData\Local\Temp\5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe
"C:\Users\Admin\AppData\Local\Temp\5456784df0c60cb5e8317e65b27a724b86a99d048bc0b22cc4c96f8e2780e82f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s mscomctl.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2856
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s TABCTL32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1908
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s comdlg32.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4376
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s mscomm32.ocx
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3676
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s mbaxp.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1700
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s c4501v.dll
  2⤵
  - Loads dropped DLL
  PID:2880
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s ago4501.dll
  2⤵
  - Loads dropped DLL
  PID:3656
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s comctl32.ocx
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4396
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s MMatrix.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2640
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s v4501v.dll
  2⤵
  - Loads dropped DLL
  PID:3736
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s msstdfmt.dll
  2⤵
  - Loads dropped DLL
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MMatrix.dll

Filesize
1.0MB

MD5
ef823536d83b6478280ec4bc7fd7043b

SHA1
864d9e5e401d19f40057c581e0c450a482e4dbc9

SHA256
6849c27a65ea2837cfb6b24ecfe282d482336213c92806ef066157307bf59d9c

SHA512
f0cee9d600d0cfbc1ce824c0bbcd35a796cca7fa376132212dae530b176d0e9484588ed5eaff9d0782e91d338d8893d6edbc7e9c15b95db35ee4ff50ede535d5

Download Submit
C:\Windows\SysWOW64\MMatrix.dll

Filesize
1.0MB

MD5
ef823536d83b6478280ec4bc7fd7043b

SHA1
864d9e5e401d19f40057c581e0c450a482e4dbc9

SHA256
6849c27a65ea2837cfb6b24ecfe282d482336213c92806ef066157307bf59d9c

SHA512
f0cee9d600d0cfbc1ce824c0bbcd35a796cca7fa376132212dae530b176d0e9484588ed5eaff9d0782e91d338d8893d6edbc7e9c15b95db35ee4ff50ede535d5

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
204KB

MD5
2bae02cd88d9ef0c03bdab250904f802

SHA1
ff421bffb17f2dafdf028a198ed6e540e0c8dce9

SHA256
76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

SHA512
faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
204KB

MD5
2bae02cd88d9ef0c03bdab250904f802

SHA1
ff421bffb17f2dafdf028a198ed6e540e0c8dce9

SHA256
76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

SHA512
faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
204KB

MD5
2bae02cd88d9ef0c03bdab250904f802

SHA1
ff421bffb17f2dafdf028a198ed6e540e0c8dce9

SHA256
76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

SHA512
faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

Download Submit
C:\Windows\SysWOW64\ago4501.dll

Filesize
2.6MB

MD5
7e97e92782a8f6e1e9379d1f8e8a14a7

SHA1
1dcf945f1abaa6ee9cb24690bfb006ee46025fc0

SHA256
bdcfd2ee7d9c161527ab3dfe406cd7f58b94ba9e13c6eade2a5746caa8f7ebdc

SHA512
bf8424f3efba81e945f51ef18b449abd4268bcaffe4f1891c45e11a064b9c1e44ccd1035638d5f268301e6b413e4f7ee1ab87b44cd2523e6bd123ac5e497c6fb

Download Submit
C:\Windows\SysWOW64\ago4501.dll

Filesize
2.6MB

MD5
7e97e92782a8f6e1e9379d1f8e8a14a7

SHA1
1dcf945f1abaa6ee9cb24690bfb006ee46025fc0

SHA256
bdcfd2ee7d9c161527ab3dfe406cd7f58b94ba9e13c6eade2a5746caa8f7ebdc

SHA512
bf8424f3efba81e945f51ef18b449abd4268bcaffe4f1891c45e11a064b9c1e44ccd1035638d5f268301e6b413e4f7ee1ab87b44cd2523e6bd123ac5e497c6fb

Download Submit
C:\Windows\SysWOW64\ago4501.dll

Filesize
2.6MB

MD5
7e97e92782a8f6e1e9379d1f8e8a14a7

SHA1
1dcf945f1abaa6ee9cb24690bfb006ee46025fc0

SHA256
bdcfd2ee7d9c161527ab3dfe406cd7f58b94ba9e13c6eade2a5746caa8f7ebdc

SHA512
bf8424f3efba81e945f51ef18b449abd4268bcaffe4f1891c45e11a064b9c1e44ccd1035638d5f268301e6b413e4f7ee1ab87b44cd2523e6bd123ac5e497c6fb

Download Submit
C:\Windows\SysWOW64\c4501v.dll

Filesize
389KB

MD5
70d9207656bb5fec96798a455ee26197

SHA1
1ec6f419575a728f9322587e8ae3ae3361473644

SHA256
faf7dfaaa9bb1f4551fa1324edb5293ff7ded3150b80e2a089de72f65999490d

SHA512
0d7c2fdca64b186579e061ae4ab3d815e68b7a0353b4474dbfa4f84f208c8a17c0e98fa05c2e0825aa43a60b7f79996d05ef2b5149fc75aeb904cc689cad9dcb

Download Submit
C:\Windows\SysWOW64\c4501v.dll

Filesize
389KB

MD5
70d9207656bb5fec96798a455ee26197

SHA1
1ec6f419575a728f9322587e8ae3ae3361473644

SHA256
faf7dfaaa9bb1f4551fa1324edb5293ff7ded3150b80e2a089de72f65999490d

SHA512
0d7c2fdca64b186579e061ae4ab3d815e68b7a0353b4474dbfa4f84f208c8a17c0e98fa05c2e0825aa43a60b7f79996d05ef2b5149fc75aeb904cc689cad9dcb

Download Submit
C:\Windows\SysWOW64\comctl32.ocx

Filesize
595KB

MD5
e2bed335446b7321ff38a138b3962e8a

SHA1
f183eaeb7e4af955aad1d894dc46801b715f3ad9

SHA256
a071a89ca5f35ff51a5631b7ea7aa882eee1e8787640ab2e0c1f192f677ec443

SHA512
61bc1923e03daa74c0061e6534e5014375eff3728ab16dca68830bcd687991c640db4a6c76836cb0b92179e90159bd1f202fdb71b57de7ad760cc677fa3636b2

Download Submit
C:\Windows\SysWOW64\comctl32.ocx

Filesize
595KB

MD5
e2bed335446b7321ff38a138b3962e8a

SHA1
f183eaeb7e4af955aad1d894dc46801b715f3ad9

SHA256
a071a89ca5f35ff51a5631b7ea7aa882eee1e8787640ab2e0c1f192f677ec443

SHA512
61bc1923e03daa74c0061e6534e5014375eff3728ab16dca68830bcd687991c640db4a6c76836cb0b92179e90159bd1f202fdb71b57de7ad760cc677fa3636b2

Download Submit
C:\Windows\SysWOW64\comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Windows\SysWOW64\comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Windows\SysWOW64\comdlg32.ocx

Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Windows\SysWOW64\mbaxp.ocx

Filesize
72KB

MD5
3f3d0e7b0dd2c727e3e5e58c2f68c67e

SHA1
770e90b5b94d1da456cd7446624564631596d154

SHA256
8b0730e63d8e05c37713a3e6079be8c415c769637ac9c6fd660e4e46aa22ea36

SHA512
70ff51bb65919a8637065f01d930c6d72e0acf8651750eff69c5392c7613d2b9b0ceb9e32da37200a400b466480e72e47752ea479bec05cca3adff0d9cddfa08

Download Submit
C:\Windows\SysWOW64\mbaxp.ocx

Filesize
72KB

MD5
3f3d0e7b0dd2c727e3e5e58c2f68c67e

SHA1
770e90b5b94d1da456cd7446624564631596d154

SHA256
8b0730e63d8e05c37713a3e6079be8c415c769637ac9c6fd660e4e46aa22ea36

SHA512
70ff51bb65919a8637065f01d930c6d72e0acf8651750eff69c5392c7613d2b9b0ceb9e32da37200a400b466480e72e47752ea479bec05cca3adff0d9cddfa08

Download Submit
C:\Windows\SysWOW64\mbaxp.ocx

Filesize
72KB

MD5
3f3d0e7b0dd2c727e3e5e58c2f68c67e

SHA1
770e90b5b94d1da456cd7446624564631596d154

SHA256
8b0730e63d8e05c37713a3e6079be8c415c769637ac9c6fd660e4e46aa22ea36

SHA512
70ff51bb65919a8637065f01d930c6d72e0acf8651750eff69c5392c7613d2b9b0ceb9e32da37200a400b466480e72e47752ea479bec05cca3adff0d9cddfa08

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
d268668751ee22997d7ef1417034cb04

SHA1
d8a87438ab0df47fe252b06162a986399cafffe1

SHA256
fac6736251d3c61ecbd63be0420d1c75d5cd0442181d479013330155ca37d358

SHA512
75f40cc8c92e3fcdd381669f6aa0bf1e76ee6fec0c5cbf53ea0bbfbff199ac7229fc1405f737420badd24f438b49b8d2eed2bb0f3fad0bf8a974f54bd6964a34

Download Submit
C:\Windows\SysWOW64\mscomm32.ocx

Filesize
116KB

MD5
a2514f76118a631b13632a2b58023514

SHA1
8bee92c7fd83031494e3fad4e8c207123962b3ed

SHA256
6e12d26a2ea19dadead576ee1d1f3e8e20b03ef14c811ce47ccdb58a3f97795f

SHA512
62b46f0564e1053eb0a12611dfa2ac4a7489b2c96b6abc0ce23d9ce7393fab89d4e2c44346a3f1ccba579cd67ea44bdd12c1ea5a9fcf9eb39e234e5dfe5ce1c5

Download Submit
C:\Windows\SysWOW64\mscomm32.ocx

Filesize
116KB

MD5
a2514f76118a631b13632a2b58023514

SHA1
8bee92c7fd83031494e3fad4e8c207123962b3ed

SHA256
6e12d26a2ea19dadead576ee1d1f3e8e20b03ef14c811ce47ccdb58a3f97795f

SHA512
62b46f0564e1053eb0a12611dfa2ac4a7489b2c96b6abc0ce23d9ce7393fab89d4e2c44346a3f1ccba579cd67ea44bdd12c1ea5a9fcf9eb39e234e5dfe5ce1c5

Download Submit
C:\Windows\SysWOW64\mscomm32.ocx

Filesize
116KB

MD5
a2514f76118a631b13632a2b58023514

SHA1
8bee92c7fd83031494e3fad4e8c207123962b3ed

SHA256
6e12d26a2ea19dadead576ee1d1f3e8e20b03ef14c811ce47ccdb58a3f97795f

SHA512
62b46f0564e1053eb0a12611dfa2ac4a7489b2c96b6abc0ce23d9ce7393fab89d4e2c44346a3f1ccba579cd67ea44bdd12c1ea5a9fcf9eb39e234e5dfe5ce1c5

Download Submit
C:\Windows\SysWOW64\msstdfmt.dll

Filesize
117KB

MD5
719e0f4d1114f700f564e9ae47f0e3ee

SHA1
d0505b9cb3123e0f2407ab3271f9f2e33d251410

SHA256
3d5c3074fc645da3b68c859a709a5fbefb7df43f458af01ffda55bfc1456e7fc

SHA512
42c555262a9353ccbfd8dcb656a6396a82e5d7b9bacb37134450e3ad866dee06db292b40fd21cad17dd7bba43ed01acf0ba035e4fbf78d762e196de78bfd7748

Download Submit
C:\Windows\SysWOW64\msstdfmt.dll

Filesize
117KB

MD5
719e0f4d1114f700f564e9ae47f0e3ee

SHA1
d0505b9cb3123e0f2407ab3271f9f2e33d251410

SHA256
3d5c3074fc645da3b68c859a709a5fbefb7df43f458af01ffda55bfc1456e7fc

SHA512
42c555262a9353ccbfd8dcb656a6396a82e5d7b9bacb37134450e3ad866dee06db292b40fd21cad17dd7bba43ed01acf0ba035e4fbf78d762e196de78bfd7748

Download Submit
C:\Windows\SysWOW64\v4501v.dll

Filesize
2.1MB

MD5
2390fd7226ec79c4ad3278f07b72116a

SHA1
0e889e25bd1e750f44f7830e1aec47440a4055a2

SHA256
c3b2490adcb24b1288ad106df16d7831ec15b05ff1c936bbce50a2bf093e733b

SHA512
0a61570120e27aa29718b533e88d3a765b86fae8d49fe1be24e0d8c4eb237092f7ccfdb2856f86af288107d8820a32dffc065a829b4ace1387cc8fd3e333ebbc

Download Submit
C:\Windows\SysWOW64\v4501v.dll

Filesize
2.1MB

MD5
2390fd7226ec79c4ad3278f07b72116a

SHA1
0e889e25bd1e750f44f7830e1aec47440a4055a2

SHA256
c3b2490adcb24b1288ad106df16d7831ec15b05ff1c936bbce50a2bf093e733b

SHA512
0a61570120e27aa29718b533e88d3a765b86fae8d49fe1be24e0d8c4eb237092f7ccfdb2856f86af288107d8820a32dffc065a829b4ace1387cc8fd3e333ebbc

Download Submit