2ce7005021fd9db68978c5cd02e93174cfb9480cf9713b0f748da82db2a2b599

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fccdb039e0fb627716e7aa2fe76d5c9.exe
Size

377KB
MD5

0fccdb039e0fb627716e7aa2fe76d5c9
SHA1

0c399b51376fed8f385335244f59726d3622e3d3
SHA256

2ce7005021fd9db68978c5cd02e93174cfb9480cf9713b0f748da82db2a2b599
SHA512

c40ffc2f4a01f013a1db1e1b1291e87fa294466dd8f55213bee8a17c7e8e943100e8bbc400366c8ca45d4eed1dfd6a7505b7ec7b0f3c9cecc7aa64aa44c09cee
SSDEEP

6144:UDeC6ckx/n4UjtEJheJcZLbRJaUogKZoWuxVcJoj8rgG+Tf4BcTDTyFMgSq0lA+V:UtZh7hTRJaUogKtgDcgZf4BcHTwp2hvz

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
39	3496	rundll32.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fkwld.sys	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\drivers\usb8028.sys	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\drivers\usb8028x.sys	74F1.tmp
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f1971.exe

Executes dropped EXE 4 IoCs

pid	Process
4576	74F1.tmp
3800	f1971.exe
1136	f1971.exe
744	f1971.exe

Loads dropped DLL 64 IoCs

pid	Process
4576	74F1.tmp
4576	74F1.tmp
4576	74F1.tmp
4188	regsvr32.exe
744	f1971.exe
3496	rundll32.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe
744	f1971.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	74F1.tmp
File opened for modification	\??\PhysicalDrive0	f1971.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\f1971.exe	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\6f11.dll	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\197c1.dll	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\f1971.exe	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\6f11.dlltmp	74F1.tmp
File created	C:\Windows\SysWOW64\-106-73100123	rundll32.exe
File created	C:\Windows\SysWOW64\0ce	rundll32.exe
File created	C:\Windows\SysWOW64\-122-73100123	0fccdb039e0fb627716e7aa2fe76d5c9.exe
File opened for modification	C:\Windows\SysWOW64\f61.dll	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\	74F1.tmp
File created	C:\Windows\SysWOW64\f61.dll	74F1.tmp
File created	C:\Windows\SysWOW64\6f11.dll	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\HelpIE.dll	74F1.tmp
File opened for modification	C:\Windows\SysWOW64\bho.dll	74F1.tmp

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\9631.exe	74F1.tmp
File opened for modification	C:\Windows\	74F1.tmp
File opened for modification	C:\Windows\191.bmp	74F1.tmp
File opened for modification	C:\Windows\9631.exe	74F1.tmp
File created	C:\Windows\191.bmp	74F1.tmp
File opened for modification	C:\Windows\74F1.tmp	0fccdb039e0fb627716e7aa2fe76d5c9.exe
File opened for modification	C:\Windows\63fd1.txt	74F1.tmp
File opened for modification	C:\Windows\3fd941.rm	74F1.tmp
File created	C:\Windows\63fd1.txt	74F1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023156-3.dat	nsis_installer_1

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\ = "dbho 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\ = "ff Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\dbho.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff\CLSID\ = "{FAAAC0F6-94BE-4466-934B-7C53666A2F41}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff\ = "ff Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CCF11A98-DC8C-40A9-ABAA-DF9C4D6DD923}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib\ = "{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\dbho.DLL\AppID = "{CCF11A98-DC8C-40A9-ABAA-DF9C4D6DD923}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ = "Iff"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CCF11A98-DC8C-40A9-ABAA-DF9C4D6DD923}\ = "dbho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\TypeLib\ = "{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ = "Iff"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff.1\CLSID\ = "{FAAAC0F6-94BE-4466-934B-7C53666A2F41}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff\CurVer\ = "dbho.ff.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff.1\ = "ff Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\AppID = "{CCF11A98-DC8C-40A9-ABAA-DF9C4D6DD923}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\ProgID\ = "dbho.ff.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\6f11.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbho.ff.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\InprocServer32\ = "C:\\Windows\\SysWow64\\6f11.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}\TypeLib\ = "{0FECB569-7E71-4ADB-AC44-F3C1C0E8EF2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAAAC0F6-94BE-4466-934B-7C53666A2F41}\VersionIndependentProgID\ = "dbho.ff"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90C84F29-48AF-4822-80AA-C959808A210B}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4576	74F1.tmp
Token: SeSystemtimePrivilege	4576	74F1.tmp

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4576	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	91
PID 3180 wrote to memory of 4576	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	91
PID 3180 wrote to memory of 4576	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	91
PID 4576 wrote to memory of 452	4576	74F1.tmp	93
PID 4576 wrote to memory of 452	4576	74F1.tmp	93
PID 4576 wrote to memory of 452	4576	74F1.tmp	93
PID 4576 wrote to memory of 4592	4576	74F1.tmp	94
PID 4576 wrote to memory of 4592	4576	74F1.tmp	94
PID 4576 wrote to memory of 4592	4576	74F1.tmp	94
PID 4576 wrote to memory of 4976	4576	74F1.tmp	95
PID 4576 wrote to memory of 4976	4576	74F1.tmp	95
PID 4576 wrote to memory of 4976	4576	74F1.tmp	95
PID 4576 wrote to memory of 3112	4576	74F1.tmp	96
PID 4576 wrote to memory of 3112	4576	74F1.tmp	96
PID 4576 wrote to memory of 3112	4576	74F1.tmp	96
PID 4576 wrote to memory of 652	4576	74F1.tmp	97
PID 4576 wrote to memory of 652	4576	74F1.tmp	97
PID 4576 wrote to memory of 652	4576	74F1.tmp	97
PID 4576 wrote to memory of 2948	4576	74F1.tmp	98
PID 4576 wrote to memory of 2948	4576	74F1.tmp	98
PID 4576 wrote to memory of 2948	4576	74F1.tmp	98
PID 4576 wrote to memory of 4188	4576	74F1.tmp	99
PID 4576 wrote to memory of 4188	4576	74F1.tmp	99
PID 4576 wrote to memory of 4188	4576	74F1.tmp	99
PID 4576 wrote to memory of 3800	4576	74F1.tmp	101
PID 4576 wrote to memory of 3800	4576	74F1.tmp	101
PID 4576 wrote to memory of 3800	4576	74F1.tmp	101
PID 4576 wrote to memory of 1136	4576	74F1.tmp	103
PID 4576 wrote to memory of 1136	4576	74F1.tmp	103
PID 4576 wrote to memory of 1136	4576	74F1.tmp	103
PID 4576 wrote to memory of 3496	4576	74F1.tmp	105
PID 4576 wrote to memory of 3496	4576	74F1.tmp	105
PID 4576 wrote to memory of 3496	4576	74F1.tmp	105
PID 3180 wrote to memory of 1176	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	106
PID 3180 wrote to memory of 1176	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	106
PID 3180 wrote to memory of 1176	3180	0fccdb039e0fb627716e7aa2fe76d5c9.exe	106

C:\Users\Admin\AppData\Local\Temp\0fccdb039e0fb627716e7aa2fe76d5c9.exe
"C:\Users\Admin\AppData\Local\Temp\0fccdb039e0fb627716e7aa2fe76d5c9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\74F1.tmp
  C:\Windows\74F1.tmp /S
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\HelpIE.dll"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\bho.dll"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\da34.dll"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\ba8f.dll"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6f1.dll"
    3⤵
    PID:652
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6f11.dll"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\6f11.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:4188
- - C:\Windows\SysWOW64\f1971.exe
    C:\Windows\system32\f1971.exe -i
    3⤵
    - Executes dropped EXE
    PID:3800
- - C:\Windows\SysWOW64\f1971.exe
    C:\Windows\system32\f1971.exe -s
    3⤵
    - Executes dropped EXE
    PID:1136
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32 C:\Windows\system32\f61.dll,Always
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0fccdb039e0fb627716e7aa2fe76d5c9.exe
  2⤵
  PID:1176

C:\Windows\SysWOW64\f1971.exe
C:\Windows\SysWOW64\f1971.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Inst.dll

Filesize
120KB

MD5
32b8494964d4a1a507d325be7db23ce4

SHA1
dbdca6ea7b7f3c2b593ed2621a9c45e885141d0a

SHA256
b7ff51d1494e375883fdf739a18afb32de4c27384c797ff0386ba06ee595d0de

SHA512
9ab03e13c95be24ba0b9c1a5d2c22f9e81783cf69cb77e133c7e36197ca4ddfbb47ef29ee00b760120a2b79744c412a2d98210681eeda18dcb3ff303d8260644

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz7707.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\play.dll

Filesize
828KB

MD5
576cadaa9c201b5f05aec6e85cd37c31

SHA1
2145077313118613905078b5cb2bd239aeaf2862

SHA256
2e6e42019244277cb69625ed34d6a858d5d9403e1f21d137fb5e65b98184e98c

SHA512
40ce2b15e2ad68c48e4f3106707850a8e86771c4c06e20b03446e191a09d24e5027936df7be19e7474a7ce81c366155045119fec009a8113cc7a2425cbac7dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ser.exe

Filesize
108KB

MD5
a242d1e4962868f472d3f0ce50474726

SHA1
1346437f90e313f5506593bc4786f0d81bda84f9

SHA256
72fa91eff373cf202c0b306eda09b1da2dfb04ef8442bbab95cc37ca2ba8db48

SHA512
079bd9668635995fc1431b50e42b9e556abdcb802635e0137255ebced4db7d9d796554553666e0d5c1db9c6082f60d4ea66588a96d909e02bdba1ef2790815d9

Download Submit
C:\Windows\74F1.tmp

Filesize
346KB

MD5
b16edc3ac4b6331aaa5d1e03b245cca9

SHA1
c68fb8e1065026e27a2a20f140384b116b88c72b

SHA256
ee7fb1bed56c10f05e3fedd058def581d8e04e8d50f0bbaa7e07ebdb448ec5fc

SHA512
b87e5b808353c16fbf63592f6561602187ef0f74d450e863c89d2aa0833aa1b59c1d6f4cd0d04b1e038df0544f6f24d6faff550131e8b3c405b9e8186c4e807b

Download Submit
C:\Windows\SysWOW64\-122-73100123

Filesize
8B

MD5
19ecd5141f089d40a7339e679d8deae9

SHA1
b353f0394a98dc074bed8c9c090ef0943eb6e7b9

SHA256
28e97e6373c9611fd2d1d5d3484d3ba8932e34920b71643597ed0b9857ae221b

SHA512
e20414ebba8813db09022dc78337be66a0a97bec4d74c0d57af2b0f931bdf2ffeba073586d7d4cae0bf750903f93807ce187d944abafc5996da91558fae405ef

Download Submit
C:\Windows\SysWOW64\6f11.dll

Filesize
124KB

MD5
ca64b102b080ea10587fda7457bf3311

SHA1
f32043c452691247f678a563ff8aeafd60bdfd76

SHA256
1e580dfbeda3979542e0893f3e30d27419d3b2fabd0b10170ed1b5da4ccee24a

SHA512
64ca1f58d25d607414cf220cd98ee11922984851864a4c39de60fd4dab7e86593645816ca1341ff64d9c2d3c2f35d5455e36304274199745b5f23bb901fa34db

Download Submit
memory/4576-17-0x00000000022F0000-0x0000000002310000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads