Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-3erdksdhbq
Target 8accd407222deef7660f75dcba8cf6c6
SHA256 ca87f191be00b273242716a4b2747d4da6027befc4ed6e12ad0046a9b3a9c572
Tags
upx adware discovery persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ca87f191be00b273242716a4b2747d4da6027befc4ed6e12ad0046a9b3a9c572

Threat Level: Shows suspicious behavior

The file 8accd407222deef7660f75dcba8cf6c6 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware discovery persistence stealer

UPX packed file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 23:25

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 23:25

Reported

2024-02-02 23:28

Platform

win7-20231215-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2836 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe

"C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 postip.sidetab.co.kr udp

Files

memory/1748-0-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1748-1-0x00000000003B0000-0x00000000003F3000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 a91d1721d3d945db7b97b2184d01bcff
SHA1 9f2a2e0c00dfde68cc68dfb68ebf68bfe2db4b96
SHA256 4a14bdc36a06c2f07e2f90c3efa6ea408b9dc36181e418f5a001eaf9cdcd9389
SHA512 4d3594d3c7f6856d7bff004825df3e7b274069070476f0e040245c6f14613c2fe5ec6cac6ae1c54104c978c4899d2b0421425f146d8e0a96ca44b711ce08fd66

\Program Files (x86)\PostTip\PostTip.exe

MD5 dd0481ba5c98acab24d53e6a894bd429
SHA1 d83b22224aa891ed22d4e3549066b8a0e19d005c
SHA256 84fde9b01b4d3c5bc7d8bf487c9d64e7e86021f060f624c6d693c1e196bf2e9c
SHA512 3716353b3d604f56f4f30681d62ca1ce6b21f5ae2839c5e43ada0efe5b5e511c8e0fd5fe07d95326b2e0bd21df06ea159561a4a9903ecef7779a20fc8aae6b60

memory/1748-25-0x0000000000400000-0x0000000000443000-memory.dmp

C:\DelUS.bat

MD5 89dfe7a7a6147c643bb4337b3103ae33
SHA1 be87652d93427342a60fe92e68f20116af3329a4
SHA256 50e509882ff928822ac2ee9ed38a1bd294012484179b90864cd7933e88d16893
SHA512 bc6c905e2942844297311614ad15113de82f3fc07b612c5f55a7f997a11bcd72cfa4f6d53f78aebb2ab2b80a6e4a2b9d8711280ead4bc75e1ac78d6a86e3097a

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 23:25

Reported

2024-02-02 23:28

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PostTip\PostTip.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PostTip = "C:\\Program Files (x86)\\PostTip\\PostTip.exe" C:\Program Files (x86)\PostTip\PostTip.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C4BF6897-41A2-454B-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PostTip\PostTip.exe C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
File created C:\Program Files (x86)\PostTip\PostTip.dll C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
File created C:\Program Files (x86)\PostTip\uninstall.exe C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ = "ISideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PostTip\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\0\win32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\VersionIndependentProgID\ = "SideTab.SideTabCtl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ = "C:\\Program Files (x86)\\PostTip\\PostTip.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ = "PostTip" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\ = "SideTab 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\ = "SideTabCtl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A12EF54F-2691-4C32-AC1B-F65D144A3988}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2B006B6-159A-4384-B05C-4B5511C16354}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671}\TypeLib\ = "{A12EF54F-2691-4C32-AC1B-F65D144A3988}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl.1\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CLSID\ = "{C4BF6897-41A2-454b-AC3B-437F30BEA671}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4BF6897-41A2-454b-AC3B-437F30BEA671} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SideTab.SideTabCtl\CurVer\ = "SideTab.SideTabCtl.1" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 5096 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 5096 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Program Files (x86)\PostTip\PostTip.exe
PID 5096 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4480 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 4480 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1904 wrote to memory of 4480 N/A C:\Program Files (x86)\PostTip\PostTip.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe

"C:\Users\Admin\AppData\Local\Temp\8accd407222deef7660f75dcba8cf6c6.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

C:\Program Files (x86)\PostTip\PostTip.exe

"C:\Program Files (x86)\PostTip\PostTip.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c \DelUS.bat

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\PostTip\PostTip.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 postip.sidetab.co.kr udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/5096-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Program Files (x86)\PostTip\PostTip.dll

MD5 a91d1721d3d945db7b97b2184d01bcff
SHA1 9f2a2e0c00dfde68cc68dfb68ebf68bfe2db4b96
SHA256 4a14bdc36a06c2f07e2f90c3efa6ea408b9dc36181e418f5a001eaf9cdcd9389
SHA512 4d3594d3c7f6856d7bff004825df3e7b274069070476f0e040245c6f14613c2fe5ec6cac6ae1c54104c978c4899d2b0421425f146d8e0a96ca44b711ce08fd66

C:\Program Files (x86)\PostTip\PostTip.exe

MD5 dd0481ba5c98acab24d53e6a894bd429
SHA1 d83b22224aa891ed22d4e3549066b8a0e19d005c
SHA256 84fde9b01b4d3c5bc7d8bf487c9d64e7e86021f060f624c6d693c1e196bf2e9c
SHA512 3716353b3d604f56f4f30681d62ca1ce6b21f5ae2839c5e43ada0efe5b5e511c8e0fd5fe07d95326b2e0bd21df06ea159561a4a9903ecef7779a20fc8aae6b60

memory/5096-11-0x0000000000400000-0x0000000000443000-memory.dmp

C:\DelUS.bat

MD5 89dfe7a7a6147c643bb4337b3103ae33
SHA1 be87652d93427342a60fe92e68f20116af3329a4
SHA256 50e509882ff928822ac2ee9ed38a1bd294012484179b90864cd7933e88d16893
SHA512 bc6c905e2942844297311614ad15113de82f3fc07b612c5f55a7f997a11bcd72cfa4f6d53f78aebb2ab2b80a6e4a2b9d8711280ead4bc75e1ac78d6a86e3097a