7b9f6e331bd8f3002cb4b3a23dade43bc3c3465823a8e24e8dd4552de6e2ca20

Analysis

max time kernel
31s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e9e9f2d5dcb357aaf47955605bbe10.dll
Size

380KB
MD5

19e9e9f2d5dcb357aaf47955605bbe10
SHA1

2ed3b28ec1446a88dd44ffbbe17137598d854fbb
SHA256

7b9f6e331bd8f3002cb4b3a23dade43bc3c3465823a8e24e8dd4552de6e2ca20
SHA512

a8ecfc82e0174f0b7e5782ecdc1f6d408962e1b4443c3839b42ce7241b854bed260f763bda4c1c98857f9376bf01ac1e5686ffaf8fa1e82db9164c6777fc971a
SSDEEP

6144:49nH+nnClbLQwdTPHAxayVIZg/Z3Ft6sFaXEdzP35dWPPXx+f/NhrBBCWC+:49InCJQsTPCs0ZVt6s9dzJ48XNhrSJ+

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	341d.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	341d.exe
2604	341d.exe
2496	341d.exe
1668	mtv.exe

Loads dropped DLL 21 IoCs

pid	Process
2708	regsvr32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2496	341d.exe
2340	rundll32.exe
2340	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe
2624	rundll32.exe
2496	341d.exe
2496	341d.exe
2496	341d.exe
2496	341d.exe
2496	341d.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	341d.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\s.exe	mtv.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\3bef.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b34o.dll	rundll32.exe
File created	C:\Windows\SysWOW64\6610371-115	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341e.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\341d.exe	rundll32.exe
File created	C:\Windows\SysWOW64\27e692	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\a34b.flv	rundll32.exe
File opened for modification	C:\Windows\f6f.bmp	rundll32.exe
File opened for modification	C:\Windows\a8fd.exe	rundll32.exe
File opened for modification	C:\Windows\ba8u.bmp	rundll32.exe
File opened for modification	C:\Windows\ba8d.exe	rundll32.exe
File created	C:\Windows\Tasks\ms.job	rundll32.exe
File opened for modification	C:\Windows\14ba.exe	rundll32.exe
File opened for modification	C:\Windows\a8f.flv	rundll32.exe
File opened for modification	C:\Windows\bf14.bmp	rundll32.exe
File opened for modification	C:\Windows\8f6.exe	rundll32.exe
File opened for modification	C:\Windows\6f1u.bmp	rundll32.exe
File opened for modification	C:\Windows\4bad.flv	rundll32.exe
File opened for modification	C:\Windows\ba8d.flv	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ProgID\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32\ = "C:\\Windows\\SysWow64\\b34o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\VersionIndependentProgID\ = "BHO.TttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\ = "CTttPlayer Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer.1\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\ = "CTttPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CLSID\ = "{EBF93111-7A1D-4843-A998-0AFE8FE5F325}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92379EF0-EBF8-43AA-B33D-D05008038B36}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ = "ITttPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.TttPlayer\CurVer\ = "BHO.TttPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBF93111-7A1D-4843-A998-0AFE8FE5F325}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9BCCE2C-1787-4F98-A27F-D9A0CD54F9F9}\TypeLib\ = "{92379EF0-EBF8-43AA-B33D-D05008038B36}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2496	341d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	mtv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 1328 wrote to memory of 2340	1328	rundll32.exe	16
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2572	2340	rundll32.exe	26
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2560	2340	rundll32.exe	25
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2580	2340	rundll32.exe	24
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2632	2340	rundll32.exe	17
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2708	2340	rundll32.exe	18
PID 2340 wrote to memory of 2704	2340	rundll32.exe	23
PID 2340 wrote to memory of 2704	2340	rundll32.exe	23
PID 2340 wrote to memory of 2704	2340	rundll32.exe	23
PID 2340 wrote to memory of 2704	2340	rundll32.exe	23
PID 2340 wrote to memory of 2604	2340	rundll32.exe	22
PID 2340 wrote to memory of 2604	2340	rundll32.exe	22
PID 2340 wrote to memory of 2604	2340	rundll32.exe	22
PID 2340 wrote to memory of 2604	2340	rundll32.exe	22
PID 2340 wrote to memory of 1668	2340	rundll32.exe	29
PID 2340 wrote to memory of 1668	2340	rundll32.exe	29
PID 2340 wrote to memory of 1668	2340	rundll32.exe	29
PID 2340 wrote to memory of 1668	2340	rundll32.exe	29
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2496 wrote to memory of 2736	2496	341d.exe	28
PID 2340 wrote to memory of 2624	2340	rundll32.exe	27
PID 2340 wrote to memory of 2624	2340	rundll32.exe	27
PID 2340 wrote to memory of 2624	2340	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\19e9e9f2d5dcb357aaf47955605bbe10.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\19e9e9f2d5dcb357aaf47955605bbe10.dll,#1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b34o.dll"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32/b34o.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2708
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -s
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\SysWOW64\341d.exe
    C:\Windows\system32/341d.exe -i
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/4f3r.dll"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/b4cb.dll"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32/a1l8.dll"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll, Always
    3⤵
    - Loads dropped DLL
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    C:\Users\Admin\AppData\Local\Temp\h8nil4o8\mtv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1668

C:\Windows\SysWOW64\341d.exe
C:\Windows\SysWOW64\341d.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32/341e.dll,Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\b34o.dll

Filesize
151KB

MD5
da9b956a6093638af38f31bb4be027ab

SHA1
53840ce481f0134e3703a8076286e254e523942a

SHA256
57e8e383c8c6b3e438ae4a99be9d238fcf5d75b589385fce3dd95c1dbacdfe24

SHA512
f7f64055d33293d968540c281872b8f29b71a7c14b748c537711d1724b235d933955e41617ceaa4bb5744bcdc2fd227dc97d7903465fc7340a46fdc55004d844

Download Submit
\Windows\SysWOW64\b34o.dll

Filesize
105KB

MD5
29246c528907fe6124fdf906f04fb857

SHA1
1e5749aac43f1964c874d9a9d4a9e7f9db08dc8b

SHA256
656033bfe00bd011b1d8e1c1304a77e3953c631f715de4747296bdf8f94d6898

SHA512
1a21b506f8c95c2ba9946db15d7f70f3cbf025cc4a9aa550bb730efb641cab2cb801025a227ed84a88f698c2b63ba608d2c39e09268ea4e02c89d4ba0d893305

Download Submit
memory/2340-5-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2340-4-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/2340-3-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/2340-0-0x0000000010000000-0x0000000010078000-memory.dmp

Filesize
480KB

Download
memory/2496-88-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-90-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/2496-128-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2496-127-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-130-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-131-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/2496-133-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/2496-136-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/2496-135-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-138-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/2496-140-0x0000000000F80000-0x0000000000F82000-memory.dmp

Filesize
8KB

Download
memory/2496-142-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/2496-145-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

Filesize
8KB

Download
memory/2496-144-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-147-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

Filesize
8KB

Download
memory/2496-149-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/2496-152-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/2496-151-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-155-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

Filesize
8KB

Download
memory/2496-154-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-158-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2496-157-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-161-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/2496-160-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-163-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-164-0x0000000000970000-0x0000000000972000-memory.dmp

Filesize
8KB

Download
memory/2496-167-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/2496-166-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-169-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/2496-172-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/2496-171-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-175-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2496-174-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-177-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/2496-179-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/2496-181-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/2496-183-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-184-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/2496-187-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/2496-186-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-189-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/2496-191-0x0000000000A40000-0x0000000000A42000-memory.dmp

Filesize
8KB

Download
memory/2496-192-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-195-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/2496-194-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-196-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2496-198-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download