24dff57c5888e400cbe5cda12e040b769efcedf8ff6bb129d1d0bea599d41406

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3751b7da41f44be46b9b8f2bbbffb0e5.exe
Size

610KB
MD5

3751b7da41f44be46b9b8f2bbbffb0e5
SHA1

790b64ccc80fec5d7efe3afce733bc560d2407f8
SHA256

24dff57c5888e400cbe5cda12e040b769efcedf8ff6bb129d1d0bea599d41406
SHA512

bd1a08c361db0b51ea776e35f440a7181481f687adcecb43e54ee3e108ff0856811c4d1f119d29f528798813833327a3c241994280e90dd97419793559049a84
SSDEEP

12288:umNVdMxVxw6zYjtAU+RNy7azdDyk2wct9apa4BlzerKfFssK7gx:PBswHoRc7Ah7lB4ouB7gx

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	AdvTCApp.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe
2252	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adv_TopC = "C:\\Program Files (x86)\\AdvTopC\\TCSearch.exe"	3751b7da41f44be46b9b8f2bbbffb0e5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AdvTopC\TCUnins.exe	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\tcse.dat	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\TCSearch.exe	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\tcwhk.dll	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\tcskip.dat	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\AdvTCApp.exe	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\AdvTCApp.tlb	3751b7da41f44be46b9b8f2bbbffb0e5.exe
File created	C:\Program Files (x86)\AdvTopC\TCHelper.dll	3751b7da41f44be46b9b8f2bbbffb0e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\AppName = "AdvTCApp.exe"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\AppName = "AdvTCUp.exe"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\AppPath = "C:\\Program Files (x86)\\AdvTopC"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0748ADA-0334-4bcd-B2A9-F12E4C754AEC}\Policy = "3"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\AppPath = "C:\\Program Files (x86)\\AdvTopC"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\CLSID = "{86D56D8B-9667-4C58-8BE5-37616F07A2AE}"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9FFF5A03-2C66-462e-A2AE-19CA87E20DBE}\Policy = "3"	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	3751b7da41f44be46b9b8f2bbbffb0e5.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}	3751b7da41f44be46b9b8f2bbbffb0e5.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\ = "TCHelper 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\0\win32\ = "C:\\Program Files (x86)\\AdvTopC\\TCHelper.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\FLAGS	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ = "ITopClickReceiver"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib\Version = "1.0"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\CLSID\ = "{86D56D8B-9667-4C58-8BE5-37616F07A2AE}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCExtDisp\ = "TCExtDisp Class"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver\ = "TopClickReceiver Class"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\FLAGS\ = "0"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\ = "AdvTCCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\InprocServer32\ = "C:\\Program Files (x86)\\AdvTopC\\TCHelper.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\HELPDIR	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\TypeLib\Version = "1.0"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl\CurVer\ = "TCHelper.AdvTCCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\ = "IAdvTCCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCUIHandler\CLSID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\ = "TCUIHandler Class"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\ProxyStubClsid32	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib\ = "{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\ProxyStubClsid32	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\VersionIndependentProgID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\TypeLib\ = "{393A6F9A-B9AF-4cc4-9205-7D9AD84E3599}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1CBECE76-7A9C-4118-9B1D-255EF4A28B0A}\TypeLib\ = "{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\ = "ITCExtDisp"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\TypeLib\ = "{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\ProgID\ = "AdvTCApp.TCExtDisp.1"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCUIHandler.1\CLSID\ = "{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}\VersionIndependentProgID\ = "AdvTCApp.TCUIHandler"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TopClickReceiver.1\CLSID\ = "{86D56D8B-9667-4C58-8BE5-37616F07A2AE}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\ProxyStubClsid32	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AE9542B-4924-4A56-8AC8-7DC3427A2CDF}\VersionIndependentProgID\ = "AdvTCApp.TCExtDisp"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7CC10CB-5560-41D1-AA01-90ACDD24FAD8}	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86D56D8B-9667-4C58-8BE5-37616F07A2AE}\VersionIndependentProgID	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\ = "AdvTCCtrl 1.0 Type Library"	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TCHelper.DLL\AppID = "{7C3D497D-F1D3-4E2C-A3C1-613D598C7B65}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TCHelper.AdvTCCtrl	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AdvTCApp.TCExtDisp\CurVer\ = "AdvTCApp.TCExtDisp.1"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\ProxyStubClsid32	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\TypeLib\Version = "1.0"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{229EDC5F-3F55-4873-AA68-DF2EE6B37B1D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8BE945B-214C-4FF4-90D4-D27453803121}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{393A6F9A-B9AF-4CC4-9205-7D9AD84E3599}\1.0\0\win32	AdvTCApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{133F4BA0-B28D-438C-9AC0-2632BA756582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8978781-0BA6-4D59-BC95-5FB099420444}\TypeLib	AdvTCApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E5EF872-03E2-4CE0-94DF-CA8A5004ECFD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2220	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	28
PID 2188 wrote to memory of 2220	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	28
PID 2188 wrote to memory of 2220	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	28
PID 2188 wrote to memory of 2220	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	28
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29
PID 2188 wrote to memory of 2252	2188	3751b7da41f44be46b9b8f2bbbffb0e5.exe	29

C:\Users\Admin\AppData\Local\Temp\3751b7da41f44be46b9b8f2bbbffb0e5.exe
"C:\Users\Admin\AppData\Local\Temp\3751b7da41f44be46b9b8f2bbbffb0e5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\AdvTopC\AdvTCApp.exe
  "C:\Program Files (x86)\AdvTopC\AdvTCApp.exe" /r
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2220
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\AdvTopC\TCHelper.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AdvTopC\AdvTCApp.exe

Filesize
320KB

MD5
c3dc18876c9500faeed84e38262e183c

SHA1
0ad15ba6ee28af15c0d21d1e273f34b489d24ced

SHA256
20a3466fcb70a05e96d4d5290d88ca22c22644d5c39cf31df12f3b20c214b4a2

SHA512
83ebdb8c2d85e32cf796fbae28bae9a6c9b9b003ccd40c21b7517018b644b4c112b4692c989c6256f49e7871c8cc728230d31c35c0ebfefd68beaa5daf067aa7

Download Submit
C:\Program Files (x86)\AdvTopC\AdvTCApp.exe

Filesize
394KB

MD5
b5d36fed9e49fdaca57bb233ae8d71ea

SHA1
8412a5fbbe6cff75cbcb4d3a62ccafb76f2c1f31

SHA256
f6207744cd416d789e3127743b6d6bb643ce899ef2ca936be5e5b5676c90421c

SHA512
6d6ee2f5e6163fcb2c0b0402335c2abd9c49ec5435d4266bfd175562f9771267134de74bddded70af30b2a7a3da55b3c510027eda6691df509815fae31b50bd7

Download Submit
C:\Program Files (x86)\AdvTopC\AdvTCApp.tlb

Filesize
3KB

MD5
4ad2317975992cb827c99397296433c3

SHA1
4f9a3c07d593dbec249ae07ad3695ffe8e85df9b

SHA256
20852414f8cdbd73ff07027718185004158d218714fe8bb2d2611f42e1d53ea5

SHA512
49642cd10aee341d1b3c880d54f1c83fc46341aa2bf5b91849769014fc1cd851291dec1629e8dc3409e4ca4c9153bc768555c4912983f4c1a6539950a2bbb395

Download Submit
C:\Program Files (x86)\AdvTopC\TCHelper.dll

Filesize
245KB

MD5
1fee0f44329d098cf139e053760311b4

SHA1
e31bf1429bd9c3d2eae70c9f5acce97434165674

SHA256
89123b1fefe891e420940144da38a9cf9f1302694fc0da8d5b5a32bbed6e27f9

SHA512
1775ab7814773f95ced0c2111e33dc94d9d194b0e62e65014bc4ee8834e70494e2365cc2c033a38e053195a5cfd7c386988a09f04639380ddab3307ec5ad5c39

Download Submit
\Program Files (x86)\AdvTopC\AdvTCApp.exe

Filesize
384KB

MD5
31a46b37c67c5119deab1562151c4d5b

SHA1
576b2aa8e51346a513ca8b9ef0758abb7c08121b

SHA256
813ca0e1c5d49a8c138965320a9f0fa593e3897ed2474184e482bb6f600c89d9

SHA512
be46d1c7b20880f672d4c024f7cb52fdb3078da7e70bde4de4974491e63dc2836b9b5c0f2a3e2f8a413ab39d81471b01c268550bd5ba7acc9c192ffb9818af48

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads